OCSF Schema
v1.0.0
v1.0.0-rc.2
v1.0.0-rc.3
v1.1.0
v1.2.0
v1.3.0-dev
Extensions
Linux [1]v1.2.0
Windows [2]v1.2.0
Profiles
Cloud
Container
Data Classification
Date/Time
Host
Linux
Load Balancer
Network Proxy
Security Control
Categories
Classes
Base Event
Dictionary
Objects
|
Resources
Understanding OCSF
Example Mappings
Contributing to OCSF
OCSF Data Types
API Documentation
JSON Schema
Schema
Sample
Categories
The OCSF categories organize event classes, each aligned with a specific domain or area of focus.
System Activity
[1]
Findings
[2]
Identity & Access Management
[3]
Network Activity
[4]
Discovery
[5]
Application Activity
[6]
File System Activity
[1001]
Kernel Extension Activity
[1002]
Kernel Activity
[1003]
Memory Activity
[1004]
Module Activity
[1005]
Scheduled Job Activity
[1006]
Process Activity
[1007]
Security Finding
[2001]
Vulnerability Finding
[2002]
Compliance Finding
[2003]
Detection Finding
[2004]
Incident Finding
[2005]
Data Security Finding
[2006]
Account Change
[3001]
Authentication
[3002]
Authorize Session
[3003]
Entity Management
[3004]
User Access Management
[3005]
Group Management
[3006]
Network Activity
[4001]
HTTP Activity
[4002]
DNS Activity
[4003]
DHCP Activity
[4004]
RDP Activity
[4005]
SMB Activity
[4006]
SSH Activity
[4007]
FTP Activity
[4008]
Email Activity
[4009]
Network File Activity
[4010]
Email File Activity
[4011]
Email URL Activity
[4012]
NTP Activity
[4013]
Tunnel Activity
[4014]
Device Inventory Info
[5001]
Device Config State
[5002]
User Inventory Info
[5003]
Operating System Patch State
[5004]
Kernel Object Query
[5006]
File Query
[5007]
Folder Query
[5008]
Admin Group Query
[5009]
Job Query
[5010]
Module Query
[5011]
Network Connection Query
[5012]
Networks Query
[5013]
Peripheral Device Query
[5014]
Process Query
[5015]
Service Query
[5016]
User Session Query
[5017]
User Query
[5018]
Device Config State Change
[5019]
Web Resources Activity
[6001]
Application Lifecycle
[6002]
API Activity
[6003]
Web Resource Access Activity
[6004]
Datastore Activity
[6005]
File Hosting Activity
[6006]
Scan Activity
[6007]
Fork me on GitHub