# OCSF

{% hint style="info" %}
See the changelog of this Action type [here](/actions/ocsf.md).
{% endhint %}

## Overview

The **OCSF** Action allows users to build messages in accordance with the **Open Cybersecurity Schema Framework.** 

{% hint style="warning" %}
In order to configure this Action, you must first link it to a Listener. Go to [Building a Pipeline ](/the-workspace/pipelines/building-a-pipeline.md)to learn how to link.
{% endhint %}

{% hint style="info" %}
**AI Action Assistant**

This Action has an AI-powered chat feature that can help you configure its parameters. Read more about it in [this article](/the-workspace/pipelines/building-a-pipeline/ai-assistant/ai-action-assistant.md).
{% endhint %}

## Ports <a href="#ports" id="ports"></a>

These are the input and output ports of this Action:

<details>

<summary>Input ports</summary>

* **Default port** - All the events to be processed by this Action enter through this port.

</details>

<details>

<summary>Output ports</summary>

* **Default port** - Events are sent through this port if no error occurs while processing them.
* **Error port** - Events are sent through this port if an error occurs while processing them.

</details>

## Configuration

{% stepper %}
{% step %}
Find **OCSF** in the **Actions** tab (under the **Schema** group) and drag it onto the canvas. Link it to the required [Listener](https://docs.onum.com/the-workspace/listeners) and [Data sink](https://docs.onum.com/the-workspace/pipelines/data-sinks).
{% endstep %}

{% step %}
To open the configuration, click the Action in the canvas and select **Configuration**.
{% endstep %}

{% step %}
Enter the required parameters:

<table><thead><tr><th width="179.5">Parameter</th><th>Description</th></tr></thead><tbody><tr><td><strong>Fields</strong><mark style="color:red;"><strong>*</strong></mark></td><td><p>This is where you specify the fields you wish to include in your message, <a href="/pages/GigDqk7hAxltMMo8kSKl">color coded</a> by type.</p><p></p><p>Fields beginning with <code>_</code> are internal fields.</p></td></tr><tr><td><strong>OCSF Template</strong><mark style="color:red;"><strong>*</strong></mark></td><td>Choose the blueprint used to create the standardized cybersecurity message within the OCSF model.</td></tr><tr><td><strong>Destination Field Name</strong><mark style="color:red;"><strong>*</strong></mark></td><td>Give your message a name to identify it by in the end destination.</td></tr><tr><td><strong>Message</strong></td><td>The message will be automatically transformed to fit the OCSF template selected above, show in JSON format. Drag and drop more fields from the fields area and rearrange them here.</td></tr></tbody></table>
{% endstep %}

{% step %}
Click **Save** to complete.
{% endstep %}
{% endstepper %}

## Example

Let's say you have received drone flight logs in JSON format and wish to transform it to a **OCSF-formatted JSON** using the Drone Flights Activity \[8001] schema.

{% stepper %}
{% step %}

### Raw data

```
{
  "drone_id": "DRONE-XT12",
  "operator": "alice.wong",
  "flight_id": "FL-20250602-0001",
  "start_time": "2025-06-02T08:00:00Z",
  "end_time": "2025-06-02T08:30:00Z",
  "status": "completed",
  "latitude": 40.7128,
  "longitude": -74.0060,
  "altitude_m": 150.0,
  "battery_level": 45,
  "vendor": "AeroFleet"
}
```

{% endstep %}

{% step %}

### Parse the JSON

Add a Parser to the canvas and extract the fields using the automatic parsing.
{% endstep %}

{% step %}

### Build the message

Now use the **Message Builder** to create a template containing these fields as an OSCF-formatted message.

Select the **Drone Flights Activity \[8001] schema** from the list.

See the JSON reformatted in the **Message** area:

```
[
{
  "event_class": "drone_activity",
  "event_type_id": 8001,
  "time": "2025-06-02T08:00:00Z",
  "severity_id": 1,
  "message": "Drone flight FL-20250602-0001 completed successfully",
  "actor": {
    "user": {
      "name": "alice.wong"
    }
  },
  "drone_activity": {
    "drone_id": "DRONE-XT12",
    "flight_id": "FL-20250602-0001",
    "status": "completed",
    "start_time": "2025-06-02T08:00:00Z",
    "end_time": "2025-06-02T08:30:00Z",
    "location": {
      "latitude": 40.7128,
      "longitude": -74.0060,
      "altitude_m": 150.0
    },
    "battery_level": 45
  },
  "metadata": {
    "product": {
      "name": "DroneLogSystem",
      "vendor_name": "AeroFleet"
    }
  }
}
]
```

Drag and drop the fields to fill in the template with the real data.

Your message now matches the OCSF best practices: it normalizes data into structured `actor`, `drone_activity`, and `metadata` fields.
{% endstep %}
{% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/the-workspace/pipelines/actions/schemas/ocsf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.