Understand the OCSF schema. Use when working with OCSF, looking up classes or objects, normalizing security events, or asking about the schema.
/plugin marketplace add tenzir/claude-plugins/plugin install ocsf@tenzirThis skill inherits all available tools. When active, it can use any tool Claude has access to.
attributes.mdclasses.mdextensions.mdobjects.mdprofiles.mdThe Open Cybersecurity Schema Framework (OCSF) is a vendor-agnostic schema for normalizing security telemetry. This skill helps you understand its structure.
OCSF organizes cybersecurity data through five interconnected constructs:
Attributes - Named data types (scalar or complex) that form the foundation. See attributes.md.
Objects - Collections of contextually related attributes representing entities like Process, User, or File. See objects.md.
Classes - Structured sets of attributes and objects describing specific security events like authentication or file activity. See classes.md.
Profiles - Dynamic mix-ins that augment classes with cross-cutting attributes (e.g., Cloud, Container, Host). See profiles.md.
Extensions - Mechanisms for expanding the schema without modifying the core. See extensions.md.
Attributes → Objects → Event Classes → Categories
│ │ │ │
└──────────────┴──────────────┴───────────────┘
compose into
OCSF organizes event classes into 8 categories:
| Category | UID | Use When |
|---|---|---|
| System | 1xxx | OS/endpoint events (files, processes) |
| Findings | 2xxx | Security detections and alerts |
| IAM | 3xxx | Identity and access (auth, account changes) |
| Network | 4xxx | Network communication (connections, DNS) |
| Discovery | 5xxx | Asset/config state (inventory, software) |
| Application | 6xxx | Application behavior (API, datastore) |
| Remediation | 7xxx | Incident response activities |
| Unmanned | 8xxx | Unmanned systems (experimental) |
Detailed per-class and per-object references: references/
Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.