The Open Cybersecurity Schema Framework (OCSF) is an open standard for cybersecurity event logging and data normalization. The framework is made up of a set of categories, event classes, data types, and an attribute dictionary. It is not restricted to cybersecurity nor to events, however the initial focus of the framework has been a schema for cybersecurity events.
This repository contains the core schema definitions that enable consistent representation of security events across different tools and platforms. The core schema for cybersecurity events is intended to be agnostic to implementations. OCSF is intended to be used by both products and devices which produce log events, analytic systems, and logging systems which retain log events.
Explore the Schema: Visit schema.ocsf.io to browse the complete schema interactively.
Key Resources:
- Understanding OCSF - Comprehensive white paper
- Contributing Guide - How to contribute to the schema
- Changelog - Latest updates and changes
├── events/ # Event class definitions organized by category
├── objects/ # Reusable object definitions
├── profiles/ # Schema profiles for specific use cases
├── extensions/ # Schema extensions (Linux, Windows, etc.)
├── metaschema/ # Schema validation rules
├── templates/ # Template definitions
├── categories.json # Event category definitions
├── dictionary.json # Attribute dictionary
└── version.json # Current schema version
OCSF provides:
- Standardized Event Schema: Common structure for cybersecurity events
- Extensible Framework: Support for custom extensions and profiles
- Format Agnostic: Works with JSON, Parquet, Avro, and other formats
- Vendor Neutral: Open standard not tied to any specific vendor
The framework consists of:
- Categories: High-level groupings (Network, System, Application, etc.)
- Event Classes: Specific event types within categories
- Objects: Reusable data structures
- Attributes: Individual data fields with standardized definitions
OCSF is designed for:
- Security Tools: SIEM, SOAR, EDR, and other security platforms
- Log Producers: Applications, devices, and systems generating security events
- Analytics Platforms: Tools processing and analyzing security data
- Data Pipelines: ETL processes normalizing security data
We welcome contributions! Please see our Contributing Guide for details on:
- How to propose schema changes
- Development workflow
- Community guidelines
OCSF follows semantic versioning. Check version.json for the current version.
Licensed under the Apache License 2.0.
Need Help?
