OCSF

Most recent version: v0.2.1

See the changelog of this Action type here.

Overview

The OCSF Action allows users to build messages in accordance with the Open Cybersecurity Schema Framework.

In order to configure this Action, you must first link it to a Listener. Go to Building a Pipeline to learn how to link.

AI Action Assistant

This Action has an AI-powered chat feature that can help you configure its parameters. Read more about it in this article.

Ports

These are the input and output ports of this Action:

Input ports

Default port - All the events to be processed by this Action enter through this port.

Output ports

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.

Configuration

Find OCSF in the Actions tab (under the Schema group) and drag it onto the canvas. Link it to the required Listener and Data sink.

To open the configuration, click the Action in the canvas and select Configuration.

Enter the required parameters:

Parameter

Description

Fields*

This is where you specify the fields you wish to include in your message, color coded by type.

Fields beginning with _ are internal fields.

OCSF Template*

Choose the blueprint used to create the standardized cybersecurity message within the OCSF model.

Destination Field Name*

Give your message a name to identify it by in the end destination.

Message

The message will be automatically transformed to fit the OCSF template selected above, show in JSON format. Drag and drop more fields from the fields area and rearrange them here.

Click Save to complete.

Example

Let's say you have received drone flight logs in JSON format and wish to transform it to a OCSF-formatted JSON using the Drone Flights Activity [8001] schema.

Raw data

{
  "drone_id": "DRONE-XT12",
  "operator": "alice.wong",
  "flight_id": "FL-20250602-0001",
  "start_time": "2025-06-02T08:00:00Z",
  "end_time": "2025-06-02T08:30:00Z",
  "status": "completed",
  "latitude": 40.7128,
  "longitude": -74.0060,
  "altitude_m": 150.0,
  "battery_level": 45,
  "vendor": "AeroFleet"
}

Parse the JSON

Add a Parser to the canvas and extract the fields using the automatic parsing.

Build the message

Now use the Message Builder to create a template containing these fields as an OSCF-formatted message.

Select the Drone Flights Activity [8001] schema from the list.

See the JSON reformatted in the Message area:

[
{
  "event_class": "drone_activity",
  "event_type_id": 8001,
  "time": "2025-06-02T08:00:00Z",
  "severity_id": 1,
  "message": "Drone flight FL-20250602-0001 completed successfully",
  "actor": {
    "user": {
      "name": "alice.wong"
    }
  },
  "drone_activity": {
    "drone_id": "DRONE-XT12",
    "flight_id": "FL-20250602-0001",
    "status": "completed",
    "start_time": "2025-06-02T08:00:00Z",
    "end_time": "2025-06-02T08:30:00Z",
    "location": {
      "latitude": 40.7128,
      "longitude": -74.0060,
      "altitude_m": 150.0
    },
    "battery_level": 45
  },
  "metadata": {
    "product": {
      "name": "DroneLogSystem",
      "vendor_name": "AeroFleet"
    }
  }
}
]

Drag and drop the fields to fill in the template with the real data.

Your message now matches the OCSF best practices: it normalizes data into structured actor, drone_activity, and metadata fields.

PreviousSchemas NextTransformation

Last updated 1 month ago

Was this helpful?