Build TQL pipelines and OCSF mappings with expert guidance. Provides workflow skills for creating parser packages and OCSF mappings, plus subagents for documentation lookup and OCSF schema navigation.
Features
Section titled “Features”- Documentation Access: Complete Tenzir documentation available as a skill, auto-synced from the latest release
- Parser Creation: Guided workflow for building parsing pipelines from raw log data with iterative testing
- OCSF Mapping: Transform parsed events into OCSF-compliant format with validation
- Documentation Guide: Fast answers to Tenzir questions via the
tenzir:guidesubagent - OCSF Schema Navigation: Fast answers to OCSF schema questions via the
tenzir:ocsfsubagent
Installation
Section titled “Installation”Use the plugin manager UI in Claude Code.
- Run
/pluginin Claude Code Enter - Go to Marketplaces Tab
- Select + Add Marketplace Enter
- Type
tenzir/claude-pluginsEnter - Install tenzir from the plugin list
Add the marketplace (once), then install the plugin with your preferred scope.
# Add the Tenzir marketplace (only needed once)claude plugin marketplace add tenzir/claude-plugins
# Install to user scope (default)claude plugin install tenzir@tenzir
# Install to project scope (shared with team)claude plugin install tenzir@tenzir --scope project
# Install to local scope (gitignored)claude plugin install tenzir@tenzir --scope localAdd the marketplace and plugin to your settings file.
{ "extraKnownMarketplaces": { "tenzir": { "source": { "source": "github", "repo": "tenzir/claude-plugins" } } }, "enabledPlugins": { "tenzir@tenzir": true }}Capabilities
Section titled “Capabilities”| Type | Name | Description |
|---|---|---|
| Skill | orchestrating-workflows | Orchestrate Tenzir workflows. Use when executing Tenzir workflows. |
| Agent | tenzir:guide | Answer questions about Tenzir. Use when the user asks about TQL pipelines, operators, functions, node configuration, platform setup, or integrations. |
| Agent | tenzir:ocsf | Answer questions about the OCSF (Open Cyber Security Schema Framework). Use when the user asks about OCSF classes, objects, attributes, profiles, or event normalization. |
| Agent | tenzir:workflow-executor | Execute Tenzir workflow steps. Use when running a specific phase of a Tenzir workflow. |
| Hook | SessionStart | Triggers on * |
| Hook | PreToolUse | Triggers on Skill |
tenzir:docs skill
Section titled “tenzir:docs skill”Provides the complete Tenzir documentation as context. The documentation is automatically downloaded from the latest GitHub release and cached locally. Syncs every 24 hours to stay current.
The skill covers deployment, configuration, TQL (Tenzir Query Language), operators, functions, formats, connectors, integrations, and the Tenzir Platform.