This guide will help you understand and start working with the Open Cybersecurity Schema Framework (OCSF).
OCSF organizes security data into a hierarchical structure:
Event classes represent different types of security events:
Reusable components that represent entities:
Individual data fields with specific types and meanings.
Here's a simple authentication event example:
{
"class_uid": 3002,
"class_name": "Authentication",
"category_uid": 3,
"category_name": "Identity & Access Management",
"severity_id": 1,
"severity": "Informational",
"metadata": {
"version": "1.1.0",
"product": {
"name": "Example Security System",
"vendor_name": "Example Vendor"
}
},
"time": 1700000000000,
"user": {
"name": "john.doe",
"uid": "1001"
},
"auth_protocol": "NTLM",
"status_id": 1,
"status": "Success"
}
/schemas/Use the OCSF validator to ensure your events conform to the schema:
# Example validation command
ocsf-validator validate --schema schema.json --event event.json
Convert vendor-specific logs to OCSF format for unified analysis.
Feed OCSF-formatted events into your SIEM for standardized detection.
Share security data between organizations using a common format.
Build analytics and machine learning models on standardized data.
Need help? Contact the OCSF community or submit an issue on GitHub.