OCSF

This reference provides comprehensive documentation for the Open Cybersecurity Schema Framework (OCSF), an open standard for normalizing security telemetry across tools and vendors.

Resources

Introduction

Comprehensive guide to OCSF concepts

Schema

Classes, objects, profiles, and extensions

FAQs

Common questions about OCSF

Articles

In-depth guides and best practices

Versions

We publish all OCSF schema versions with full cross-references between classes, objects, profiles, extensions, and types.

Version	Classes	Objects	Profiles	Extensions	Types
v1.7.0	76	166	11	0	23
v1.6.0	75	163	11	0	23
v1.5.0	74	157	11	0	23
v1.4.0	72	138	11	0	22
v1.3.0	65	117	9	0	22
v1.2.0	59	108	8	0	22
v1.1.0	44	103	7	0	22
v1.0.0	33	81	5	0	22

Note

This documentation is auto-generated from the official OCSF schema and ocsf-docs repository. Download an AI-optimized snapshot at our GitHub release page.

Using OCSF with Tenzir

Tenzir provides native support for OCSF through the ocsf.* operators: ocsf.apply, ocsf.cast, ocsf.derive, and ocsf.trim. You can normalize events to OCSF, validate schema compliance, and work with OCSF-formatted data throughout your pipelines.

Use Tenzir’s Claude plugins for guided OCSF mapping workflows.