Explainability
See mapped, transformed, defaulted, guessed, dropped, unmapped, and missing fields.
Scorecards
Grade mapping readiness with coverage, lint, strict checks, and CI summaries.
CI Output
Emit JSON, SARIF, and GitHub Actions annotations for mapping and lint failures.
Examples
Included mappings cover AWS GuardDuty, AWS Security Hub, CloudTrail, VPC Flow Logs, Okta, Entra ID, Azure Activity Logs, Google Cloud Audit Logs, GitHub audit logs, CrowdStrike, Palo Alto traffic, Zeek, Splunk ES, Sentinel, Defender, Wiz, Lacework, GCP SCC, Cloudflare, Kubernetes audit logs, Sysmon, and Windows Security events.
ocsfkit map fixtures/aws_guardduty_finding.json \
--mapping examples/guardduty-mapping.yaml
ocsfkit scorecard fixtures/guardduty.ndjson \
--mapping examples/guardduty-mapping.yaml \
--min-confidence 0.80 \
--max-unmapped 25
ocsfkit test-mapping tests/fixtures/guardduty-test.yaml
ocsfkit report fixtures/guardduty.ndjson \
--mapping examples/guardduty-mapping.yaml \
--output report.html
ocsfkit workshop fixtures/wiz_finding.json \
--mapping examples/wiz-finding-mapping.yaml
ocsfkit targets search user
ocsfkit catalog --output docs/mapping-catalog.md
ocsfkit pack validate
Workflow
Inspect source fields with workshop mode, map known fields, explicitly drop reviewed noise, run explain for provenance, gate coverage in CI, lock behavior with fixture tests, and promote mature mappings with strict mode.