ocsfkit

An OCSF workbench for normalizing, linting, explaining, diffing, and querying security events.

brew tap pfrederiksen/tap
brew install ocsfkit
ocsfkit explain event.json --mapping mapping.yaml

Explainability

See mapped, transformed, defaulted, guessed, dropped, unmapped, and missing fields.

Mapping Coverage

Measure unmapped source fields and confidence across NDJSON event streams.

CI Output

Emit JSON, SARIF, and GitHub Actions annotations for mapping and lint failures.

Examples

Included mappings cover AWS GuardDuty, AWS Security Hub, CloudTrail, Okta, Entra ID, GitHub audit logs, CrowdStrike, Palo Alto traffic, Zeek, Splunk ES, Sentinel, Defender, Wiz, Lacework, GCP SCC, Cloudflare, and Kubernetes audit logs.

ocsfkit map fixtures/aws_guardduty_finding.json \
  --mapping examples/guardduty-mapping.yaml

ocsfkit coverage fixtures/guardduty.ndjson \
  --mapping examples/guardduty-mapping.yaml \
  --min-confidence 0.80 \
  --max-unmapped 25

ocsfkit test-mapping tests/fixtures/guardduty-test.yaml

ocsfkit report fixtures/guardduty.ndjson \
  --mapping examples/guardduty-mapping.yaml \
  --output report.html

ocsfkit workshop fixtures/wiz_finding.json \
  --mapping examples/wiz-finding-mapping.yaml

ocsfkit targets search user
ocsfkit pack validate

Workflow

Inspect source fields with workshop mode, map known fields, explicitly drop reviewed noise, run explain for provenance, gate coverage in CI, lock behavior with fixture tests, and promote mature mappings with strict mode.

Project Links

GitHub repository · Documentation · Releases