This reference provides comprehensive documentation for the Open Cybersecurity Schema Framework (OCSF), an open standard for normalizing security telemetry across tools and vendors.
Resources
Section titled “Resources”Versions
Section titled “Versions”We publish all OCSF schema versions with full cross-references between classes, objects, profiles, extensions, and types.
| Version | Classes | Objects | Profiles | Extensions | Types |
|---|---|---|---|---|---|
| v1.8.0-dev | 83 | 172 | 13 | 2 | 24 |
| v1.7.0 | 83 | 170 | 12 | 2 | 24 |
| v1.6.0 | 82 | 167 | 12 | 2 | 24 |
| v1.5.0 | 81 | 161 | 12 | 2 | 24 |
| v1.4.0 | 79 | 142 | 12 | 2 | 22 |
| v1.3.0 | 72 | 121 | 10 | 2 | 22 |
| v1.2.0 | 65 | 111 | 9 | 2 | 22 |
| v1.1.0 | 50 | 106 | 8 | 2 | 22 |
| v1.0.0 | 36 | 84 | 6 | 2 | 22 |
Using OCSF with Tenzir
Section titled “Using OCSF with Tenzir”Tenzir provides native support for OCSF through the ocsf.* operators:
ocsf.apply,
ocsf.cast,
ocsf.derive, and
ocsf.trim. You can normalize events to OCSF,
validate schema compliance, and work with OCSF-formatted data throughout your
pipelines.
See the OCSF mapping workflow for guidance on creating custom mappings for your data sources.