Explainability
See mapped, transformed, defaulted, guessed, dropped, unmapped, and missing fields.
Mapping Coverage
Measure unmapped source fields and confidence across NDJSON event streams.
CI Output
Emit JSON, SARIF, and GitHub Actions annotations for mapping and lint failures.
Examples
Included mappings cover AWS GuardDuty, AWS Security Hub, CloudTrail, Okta, Entra ID, GitHub audit logs, CrowdStrike, Palo Alto traffic, Zeek, Splunk ES, Sentinel, Defender, Wiz, Lacework, GCP SCC, Cloudflare, and Kubernetes audit logs.
ocsfkit map fixtures/aws_guardduty_finding.json \
--mapping examples/guardduty-mapping.yaml
ocsfkit coverage fixtures/guardduty.ndjson \
--mapping examples/guardduty-mapping.yaml \
--min-confidence 0.80 \
--max-unmapped 25
ocsfkit test-mapping tests/fixtures/guardduty-test.yaml
ocsfkit report fixtures/guardduty.ndjson \
--mapping examples/guardduty-mapping.yaml \
--output report.html
ocsfkit workshop fixtures/wiz_finding.json \
--mapping examples/wiz-finding-mapping.yaml
ocsfkit targets search user
ocsfkit pack validate
Workflow
Inspect source fields with workshop mode, map known fields, explicitly drop reviewed noise, run explain for provenance, gate coverage in CI, lock behavior with fixture tests, and promote mature mappings with strict mode.