Explainability
See mapped, transformed, defaulted, guessed, dropped, unmapped, and missing fields.
Scorecards
Grade mapping readiness with coverage, lint, strict checks, and CI summaries.
CI Output
Emit JSON, SARIF, JUnit, GitHub Actions annotations, and job summaries.
Fixture Hygiene
Scan and redact samples before sharing them in tickets, docs, or repos.
Release Checks
Run doctor and benchmark checks before promoting mapping packs.
Examples
Included mappings cover AWS GuardDuty, AWS Security Hub, CloudTrail, VPC Flow Logs, Okta, Entra ID, Azure Activity Logs, Google Cloud Audit Logs, GitHub audit logs, CrowdStrike, Palo Alto traffic, Zeek, Splunk ES, Sentinel, Defender, Wiz, Lacework, GCP SCC, Cloudflare, Kubernetes audit logs, Sysmon, and Windows Security events.
ocsfkit map fixtures/aws_guardduty_finding.json \
--mapping examples/guardduty-mapping.yaml
ocsfkit scorecard fixtures/guardduty.ndjson \
--mapping examples/guardduty-mapping.yaml \
--min-confidence 0.80 \
--max-unmapped 25
ocsfkit test-mapping tests/goldens --junit ocsfkit-mapping.xml
ocsfkit scan fixtures --sarif --warn-only
ocsfkit redact fixtures/aws_guardduty_finding.json --output redacted.json
ocsfkit doctor
ocsfkit benchmark fixtures/guardduty.ndjson \
--mapping examples/guardduty-mapping.yaml \
--iterations 3
ocsfkit report fixtures/guardduty.ndjson \
--mapping examples/guardduty-mapping.yaml \
--output report.html
ocsfkit workshop fixtures/wiz_finding.json \
--mapping examples/wiz-finding-mapping.yaml
ocsfkit targets search user
ocsfkit catalog --output docs/mapping-catalog.md
ocsfkit pack validate
Workflow
Inspect source fields with workshop mode, map known fields, explicitly drop reviewed noise, run explain for provenance, gate coverage in CI, lock behavior with fixture tests, and promote mature mappings with strict mode.