Reference documentation for the Open Cybersecurity Schema Framework (OCSF). Provides hierarchical navigation of event classes, objects, attributes, and profiles across OCSF versions.
Features
Section titled “Features”- 🗂️ Schema Navigation: Hierarchical reference to event classes, objects, and profiles across OCSF versions
- 📚 Core Concepts: Learn attributes, objects, classes, profiles, and extensions
- 📖 Versioned References: Auto-generated documentation for each OCSF release
- 🤖 Guide Subagent: Fast answers to OCSF schema questions
Installation
Section titled “Installation”Use the plugin manager UI in Claude Code.
- Run
/pluginin Claude Code Enter - Go to Marketplaces Tab
- Select + Add Marketplace Enter
- Type
tenzir/claude-pluginsEnter - Install ocsf from the plugin list
Run the CLI command with your preferred scope.
# Install to user scope (default)claude plugin install ocsf@tenzir
# Install to project scope (shared with team)claude plugin install ocsf@tenzir --scope project
# Install to local scope (gitignored)claude plugin install ocsf@tenzir --scope localAdd the marketplace and plugin to your settings file.
{ "extraKnownMarketplaces": { "tenzir": { "source": { "source": "github", "repo": "tenzir/claude-plugins" } } }, "enabledPlugins": { "ocsf@tenzir": true }}Capabilities
Section titled “Capabilities”| Type | Name | Description |
|---|---|---|
| Skill | understanding-ocsf | Understand the OCSF schema. Use when working with OCSF, looking up |
| Agent | ocsf:guide | Answer questions about the OCSF (Open Cyber Security Schema Framework). Use when the user asks about OCSF classes, objects, attributes, profiles, or event normalization. |
ocsf:guide subagent
Section titled “ocsf:guide subagent”Delegate OCSF questions to the guide for fast, accurate answers:
@ocsf:guide What class should I use for SSH login events?
@ocsf:guide What's the difference between actor and user objects?
@ocsf:guide Which profile adds container context to events?