Tenzir

Build TQL pipelines and OCSF mappings with expert guidance. Provides workflow skills for creating parser packages and OCSF mappings, plus an OCSF subagent for schema navigation.

Features

• Documentation Access: Complete Tenzir documentation available as a skill, auto-synced from the latest release
• Parser Creation: Guided workflow for building parsing pipelines from raw log data with iterative testing
• OCSF Mapping: Transform parsed events into OCSF-compliant format with validation
• OCSF Schema Navigation: Fast answers to OCSF schema questions via the tenzir:ocsf subagent

Installation

Interactive

Use the plugin manager UI in Claude Code.

1. Run /plugin in Claude Code Enter
2. Go to Marketplaces Tab
3. Select + Add Marketplace Enter
4. Type tenzir/claude-plugins Enter
5. Install tenzir from the plugin list

Shell

Add the marketplace (once), then install the plugin with your preferred scope.

# Add the Tenzir marketplace (only needed once)
claude plugin marketplace add tenzir/claude-plugins

# Install to user scope (default)
claude plugin install tenzir@tenzir

# Install to project scope (shared with team)
claude plugin install tenzir@tenzir --scope project

# Install to local scope (gitignored)
claude plugin install tenzir@tenzir --scope local

Settings

Add the marketplace and plugin to your settings file.

.claude/settings.json

{
  "extraKnownMarketplaces": {
    "tenzir": {
      "source": {
        "source": "github",
        "repo": "tenzir/claude-plugins"
      }
    }
  },
  "enabledPlugins": {
    "tenzir@tenzir": true
  }
}

Capabilities

Type	Name	Description
Skill	managing-packages	Create and manage TQL parsing pipeline packages. Use when creating parser packages, setting up package structure, or iterating on parsing logic.
Skill	mapping-to-ocsf	Add OCSF mapping to a TQL parsing pipeline. Use when normalizing events to OCSF, creating OCSF operators, or validating OCSF compliance.
Agent	tenzir:ocsf	Answer questions about the OCSF (Open Cyber Security Schema Framework). Use when the user asks about OCSF classes, objects, attributes, profiles, or event normalization.
Hook	SessionStart	Triggers on *
Hook	PreToolUse	Triggers on Skill

Usage

tenzir:docs skill

Provides the complete Tenzir documentation as context. The documentation is automatically downloaded from the latest GitHub release and cached locally. Syncs every 24 hours to stay current.

The skill covers deployment, configuration, TQL (Tenzir Query Language), operators, functions, formats, connectors, integrations, and the Tenzir Platform.

Changelog

View the release history and recent changes.

View on GitHub

Browse the plugin source code and documentation.