Skip to main content

An OCSF workbench for normalizing, linting, explaining, diffing, and querying security events.

Project description

ocsfkit

ocsfkit is an OCSF workbench for security engineers who need to normalize, lint, explain, diff, and query security events without hiding mapping quality.

The first version focuses on a practical Detection Finding workflow and a minimal schema registry that can grow over time.

Why This Exists

Moving telemetry into OCSF is rarely a pure parsing problem. The hard part is knowing what happened during normalization:

  • Which class did the source event become?
  • Which source fields mapped cleanly?
  • Which target fields were defaulted or guessed?
  • Which fields were intentionally dropped?
  • Which source fields are still unmapped?
  • Which required or recommended OCSF fields are missing?

ocsfkit keeps those answers attached to the mapping workflow.

Install

pip install ocsfkit

For local development:

python -m venv .venv
. .venv/bin/activate
pip install -e ".[dev]"

Documentation

  • Getting Started: first mapping, lint, query, and diff workflow.
  • Mapping Guide: YAML format, provenance, transforms, drops, and required fields.
  • Real-World Workflows: GuardDuty, Security Hub, CloudTrail, CI gates, and mapping comparisons.
  • Docs Site: static site source for GitHub Pages.

Quick Start

Parse JSON, YAML, or NDJSON:

ocsfkit parse fixtures/aws_guardduty_finding.json
ocsfkit parse fixtures/guardduty.ndjson --format ndjson
cat fixtures/aws_guardduty_finding.json | ocsfkit parse -

Map AWS GuardDuty into an OCSF Detection Finding:

ocsfkit map fixtures/aws_guardduty_finding.json --mapping examples/guardduty-mapping.yaml
ocsfkit map fixtures/aws_guardduty_finding.json --mapping examples/guardduty-mapping.yaml --explain

Explain mapping quality before trusting the output:

ocsfkit explain fixtures/aws_guardduty_finding.json --mapping examples/guardduty-mapping.yaml
ocsfkit explain fixtures/aws_guardduty_finding.json --mapping examples/guardduty-mapping.yaml --json

Lint OCSF-looking events:

ocsfkit lint fixtures/ocsf_detection_finding.json
ocsfkit lint fixtures/broken_ocsf_event.json --json
ocsfkit lint fixtures/broken_ocsf_event.json --sarif
ocsfkit lint fixtures/broken_ocsf_event.json --warn-only

Diff two events or streams:

ocsfkit diff fixtures/ocsf_detection_finding.json fixtures/broken_ocsf_event.json
ocsfkit diff before.ndjson after.ndjson --json

Query common OCSF fields:

ocsfkit query fixtures/ocsf_detection_finding.json severity_id
ocsfkit query fixtures/ocsf_detection_finding.json metadata.product.name
ocsfkit query fixtures/ocsf_detection_finding.json cloud.account_uid
ocsfkit coverage fixtures/guardduty.ndjson --mapping examples/guardduty-mapping.yaml
ocsfkit validate-mapping examples/guardduty-mapping.yaml
ocsfkit init-mapping fixtures/aws_guardduty_finding.json

Command Reference

parse

Reads JSON, YAML, or NDJSON and emits normalized JSON. Use this to make sure input data can be loaded before writing mappings.

ocsfkit parse <input> [--format json|ndjson]

<input> can be a file path or - for stdin.

map

Applies a mapping YAML and emits OCSF JSON.

ocsfkit map <input> --mapping mapping.yaml [--format json|ndjson] [--explain]

Without --explain, output is the mapped event. With --explain, each output item contains both event and explanation.

explain

Shows the mapping decision report without making users inspect the mapped event by hand.

ocsfkit explain <input> --mapping mapping.yaml [--json] [--github-annotations]

The report includes mapped fields, defaulted fields, guessed fields, dropped fields, unmapped source fields, missing target fields, and a confidence score. --github-annotations emits missing targets and unmapped source fields as GitHub Actions annotations.

lint

Validates OCSF-looking events against the built-in minimal registry.

ocsfkit lint <input> [--json] [--sarif] [--github-annotations] [--warn-only]

Lint exits non-zero on errors unless --warn-only is set. Warnings are used for recommended fields and unknown class IDs. Use --schema-version to enforce the expected OCSF version, and --sarif or --github-annotations in CI.

diff

Compares two OCSF events or two streams with the same event count.

ocsfkit diff <before> <after> [--json]

The human output highlights class and severity changes because those fields tend to affect downstream routing, alerting, and dashboards.

query

Extracts common OCSF fields using dotted paths.

ocsfkit query <input> metadata.product.name
ocsfkit query <input> resources[].name

For NDJSON, one result is printed per event.

Mapping Format

Mappings are YAML. Source paths use a deliberately small JSONPath subset such as $.eventTime and $.userIdentity.userName. Target paths use dotted OCSF paths such as cloud.account_uid and actor.user.name.

schema_version: 1.7.0

target_class:
  class_uid: 2004
  class_name: Detection Finding
  category_uid: 2
  category_name: Findings

fields:
  time:
    from: $.eventTime
    transform: parse_timestamp
    required: true

  severity_id:
    from: $.severity
    transform: severity_text_to_id
    default: 1

  message:
    from: $.title

  cloud.account_uid:
    from: $.accountId

drop:
  - $.debug
  - $.rawPayload

The explanation model tracks mapped, transformed, defaulted, guessed, dropped, unmapped, and missing fields, plus a confidence score.

Included examples:

Minimal OCSF Scope

Implemented fields:

  • time
  • class_uid
  • class_name
  • category_uid
  • category_name
  • activity_id
  • activity_name
  • type_uid
  • type_name
  • severity_id
  • severity
  • message
  • metadata.version
  • metadata.product.name
  • actor.user.name
  • actor.user.uid
  • cloud.account_uid
  • cloud.region
  • device.hostname
  • dst_endpoint.ip
  • dst_endpoint.port
  • process.name
  • process.pid
  • resources[].name
  • resources[].type
  • src_endpoint.ip
  • src_endpoint.port
  • status
  • status_id

Implemented class registry:

  • Detection Finding (class_uid: 2004)
  • Authentication (class_uid: 3002)
  • Network Activity (class_uid: 4001)
  • Process Activity (class_uid: 1007)

Schema-version awareness currently supports 1.6.0 and 1.7.0, with 1.7.0 as the default expected version.

Fixtures

The repository includes fake, realistic fixtures for local testing:

  • fixtures/aws_guardduty_finding.json
  • fixtures/aws_securityhub_finding.json
  • fixtures/cloudtrail_event.json
  • fixtures/ocsf_detection_finding.json
  • fixtures/broken_ocsf_event.json
  • fixtures/guardduty.ndjson

No fixture contains real secrets or real account IDs.

Development

uv run --extra dev pytest
uv run --extra dev ruff check .
uv build

The CLI entry point is ocsfkit = "ocsfkit.cli:app".

Release Notes

This repository is ready for normal Python packaging with pyproject.toml. Recommended release flow:

  1. Tag a version: git tag v0.3.1 && git push --tags
  2. The .github/workflows/release.yml workflow builds distributions.
  3. PyPI publishing uses pypa/gh-action-pypi-publish with the PYPI_API_TOKEN repository secret.
  4. Homebrew tap updates run when HOMEBREW_TAP_ENABLED=true is set as a repository variable and HOMEBREW_TAP_TOKEN is available as a secret.

Do not commit package index tokens. Use PyPI trusted publishing or repository secrets for release automation.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ocsfkit-0.3.1.tar.gz (58.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ocsfkit-0.3.1-py3-none-any.whl (23.3 kB view details)

Uploaded Python 3

File details

Details for the file ocsfkit-0.3.1.tar.gz.

File metadata

  • Download URL: ocsfkit-0.3.1.tar.gz
  • Upload date:
  • Size: 58.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ocsfkit-0.3.1.tar.gz
Algorithm Hash digest
SHA256 69954b394b7e16e7d388a9f735c0f0cde80caf2d5f6568b605cb8ebc095ff1e3
MD5 217f8627473faf2ce372f5f49bcb8ef1
BLAKE2b-256 2a4f2444cb2c8fa8d7b328203110df3963033ad7bb237198db7a3fec97d7d956

See more details on using hashes here.

File details

Details for the file ocsfkit-0.3.1-py3-none-any.whl.

File metadata

  • Download URL: ocsfkit-0.3.1-py3-none-any.whl
  • Upload date:
  • Size: 23.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ocsfkit-0.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 5706cbc4feb7308312c3679f4aa0a118dbb835731bffa24dd0be04e5180b39e3
MD5 6d677549628c0422edeecec6a746d716
BLAKE2b-256 ad6876f2e3a319abd562c7cf852888d2b1e7d5a924c1a7b729073a00c04e5633

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page