This page provides real-world examples of security events formatted according to the OCSF schema.
{
"class_uid": 3002,
"class_name": "Authentication",
"category_uid": 3,
"category_name": "Identity & Access Management",
"severity_id": 1,
"severity": "Informational",
"activity_id": 1,
"activity_name": "Logon",
"metadata": {
"version": "1.1.0",
"product": {
"name": "Active Directory",
"vendor_name": "Microsoft"
},
"log_name": "Security",
"log_provider": "Microsoft-Windows-Security-Auditing"
},
"time": 1700000000000,
"user": {
"name": "alice.smith",
"uid": "S-1-5-21-3623811015-3361044348-30300820-1013",
"domain": "CORPORATE",
"type": "User",
"type_id": 1
},
"device": {
"hostname": "WORKSTATION01",
"ip": "192.168.1.50",
"domain": "corp.local",
"os": {
"name": "Windows 11 Enterprise",
"type": "Windows",
"version": "22H2"
}
},
"auth_protocol": "Kerberos",
"logon_type": "Interactive",
"logon_type_id": 2,
"status_id": 1,
"status": "Success",
"message": "User alice.smith successfully logged on to WORKSTATION01"
}
{
"class_uid": 3002,
"class_name": "Authentication",
"category_uid": 3,
"category_name": "Identity & Access Management",
"severity_id": 3,
"severity": "Medium",
"activity_id": 1,
"activity_name": "Logon",
"metadata": {
"version": "1.1.0",
"product": {
"name": "SSH Server",
"vendor_name": "OpenSSH"
}
},
"time": 1700000120000,
"user": {
"name": "admin",
"type": "User",
"type_id": 1
},
"device": {
"hostname": "ssh-server-01",
"ip": "10.0.1.5"
},
"src_endpoint": {
"ip": "185.220.101.45",
"location": {
"country": "RU"
}
},
"auth_protocol": "SSH",
"status_id": 2,
"status": "Failure",
"status_detail": "Invalid credentials",
"message": "Failed SSH login attempt for user admin from 185.220.101.45"
}
{
"class_uid": 4002,
"class_name": "HTTP Activity",
"category_uid": 4,
"category_name": "Network Activity",
"severity_id": 1,
"severity": "Informational",
"metadata": {
"version": "1.1.0",
"product": {
"name": "Web Application Firewall",
"vendor_name": "Cloudflare"
}
},
"time": 1700000240000,
"http_request": {
"url": {
"url_string": "https://api.example.com/v1/users",
"scheme": "https",
"hostname": "api.example.com",
"path": "/v1/users"
},
"http_method": "GET",
"version": "HTTP/2",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
},
"http_response": {
"code": 200,
"message": "OK"
},
"src_endpoint": {
"ip": "203.0.113.42",
"port": 54321
},
"dst_endpoint": {
"ip": "192.0.2.10",
"port": 443
},
"traffic_bytes": 4567,
"status_id": 1,
"status": "Success"
}
{
"class_uid": 4003,
"class_name": "DNS Activity",
"category_uid": 4,
"category_name": "Network Activity",
"severity_id": 1,
"severity": "Informational",
"metadata": {
"version": "1.1.0",
"product": {
"name": "DNS Server",
"vendor_name": "BIND"
}
},
"time": 1700000360000,
"query": {
"hostname": "example.com",
"type": "A",
"class": "IN"
},
"answers": [
{
"rdata": "93.184.216.34",
"type": "A",
"ttl": 3600
}
],
"src_endpoint": {
"ip": "192.168.1.100",
"port": 53214
},
"dst_endpoint": {
"ip": "8.8.8.8",
"port": 53
},
"response_code": "NOERROR",
"status_id": 1,
"status": "Success"
}
{
"class_uid": 4010,
"class_name": "File System Activity",
"category_uid": 1,
"category_name": "System Activity",
"severity_id": 1,
"severity": "Informational",
"activity_id": 1,
"activity_name": "Create",
"metadata": {
"version": "1.1.0",
"product": {
"name": "EDR Agent",
"vendor_name": "CrowdStrike"
}
},
"time": 1700000480000,
"file": {
"name": "document.pdf",
"path": "C:\\Users\\bob.jones\\Documents\\document.pdf",
"type": "Regular File",
"type_id": 1,
"size": 524288,
"created_time": 1700000480000,
"modified_time": 1700000480000,
"hashes": [
{
"algorithm": "SHA-256",
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}
]
},
"actor": {
"process": {
"name": "WINWORD.EXE",
"pid": 8432,
"user": {
"name": "bob.jones"
}
},
"user": {
"name": "bob.jones",
"uid": "S-1-5-21-1234567890-1234567890-1234567890-1001"
}
},
"device": {
"hostname": "LAPTOP-BOB",
"os": {
"name": "Windows 11",
"type": "Windows"
}
},
"status_id": 1,
"status": "Success"
}
{
"class_uid": 2004,
"class_name": "Detection Finding",
"category_uid": 2,
"category_name": "Findings",
"severity_id": 5,
"severity": "Critical",
"metadata": {
"version": "1.1.0",
"product": {
"name": "Antivirus Engine",
"vendor_name": "Symantec"
}
},
"time": 1700000600000,
"finding_info": {
"title": "Malware Detected: Trojan.Generic.12345",
"desc": "Malicious file detected and quarantined",
"types": ["Malware"],
"uid": "FINDING-2024-001"
},
"malware": [
{
"name": "Trojan.Generic.12345",
"classification": "Trojan",
"path": "C:\\Temp\\malicious.exe"
}
],
"resources": [
{
"name": "malicious.exe",
"type": "File",
"data": {
"hash": {
"algorithm": "MD5",
"value": "5d41402abc4b2a76b9719d911017c592"
}
}
}
],
"device": {
"hostname": "DESKTOP-USER01",
"ip": "192.168.1.75"
},
"remediation": {
"desc": "File quarantined automatically",
"kb_articles": ["KB12345"]
},
"status_id": 1,
"status": "Success",
"message": "Trojan detected and quarantined on DESKTOP-USER01"
}
Visit the File Browser for more sample events and complete datasets.
Use these examples as templates for creating your own OCSF-formatted events. Remember to:
See the Getting Started Guide for more information.
Want to contribute examples? Submit them via GitHub or contact the OCSF community.