ocsfkit

An OCSF workbench for normalizing, linting, explaining, diffing, and querying security events.

brew tap pfrederiksen/tap
brew install ocsfkit
ocsfkit explain event.json --mapping mapping.yaml

Explainability

See mapped, transformed, defaulted, guessed, dropped, unmapped, and missing fields.

Mapping Coverage

Measure unmapped source fields and confidence across NDJSON event streams.

CI Output

Emit JSON, SARIF, and GitHub Actions annotations for mapping and lint failures.

Examples

Included mappings cover AWS GuardDuty, AWS Security Hub, CloudTrail, Okta, Entra ID, GitHub audit logs, CrowdStrike, Palo Alto traffic, and Zeek.

ocsfkit map fixtures/aws_guardduty_finding.json \
  --mapping examples/guardduty-mapping.yaml

ocsfkit coverage fixtures/guardduty.ndjson \
  --mapping examples/guardduty-mapping.yaml

ocsfkit validate-mapping examples/okta-authentication-mapping.yaml

Project Links

GitHub repository · Documentation · Releases