Open Cybersecurity Schema Framework (OCSF) addresses the challenge of inconsistent cybersecurity event logging and data normalization across diverse tools and platforms. It provides an open standard for representing security events consistently, benefiting security tools, log producers, analytics platforms, and data pipelines by enabling interoperability and simplifying analysis.

How It Works

OCSF provides a standardized, extensible, and format-agnostic schema for cybersecurity event logging. It comprises categories, event classes, reusable objects, and a comprehensive attribute dictionary, enabling consistent data representation across diverse tools and platforms. The framework's core technical innovation lies in its robust quality assurance for schema evolution. This includes a deterministic static anti-pattern checker that flags structural design issues in pull requests without external dependencies, and a Claude-powered LLM reviewer that assesses description quality and semantic correctness. This dual-review system ensures schema integrity and usability.

Quick Start & Requirements

Explore the schema interactively at schema.ocsf.io. Key resources include the "Understanding OCSF" white paper, "Contributing Guide", and "Changelog". No direct installation command is provided as this repository defines the schema itself.

Highlighted Details

• Automated Schema Validation: Features a two-tiered PR review system: a fast, deterministic static checker for structural anti-patterns (e.g., Boolean Trap, Type Inconsistency) and an LLM-based reviewer for description clarity and semantic correctness.
• LLM-to-Static Learning Pipeline: Novel anti-patterns identified by the LLM reviewer are logged and can be integrated into the static checker, transforming one-time LLM insights into permanent, automated checks.
• Format Agnostic & Extensible: Designed to work with various data formats (JSON, Parquet, Avro) and supports custom extensions and profiles for specific use cases.
• Vendor Neutrality: An open standard not tied to any specific vendor, promoting interoperability.

Maintenance & Community

Community Discussions and a Slack Workspace are available for engagement. A detailed Contributing Guide outlines the process for proposing schema changes and community guidelines. The project follows semantic versioning, with the current version available in version.json.

Licensing & Compatibility

Licensed under the Apache License 2.0. This permissive license allows for commercial use and integration within closed-source projects without significant restrictions.

Limitations & Caveats

The initial focus of the OCSF framework has been cybersecurity events, although the schema is not strictly limited to this domain. The provided README does not detail any alpha status, known bugs, or unsupported platforms.