The Open Cybersecurity Schema Framework (OCSF) is an initiative aimed at standardizing how cybersecurity data is structured and shared across different platforms and tools. By creating a common schema, OCSF allows organizations to easily integrate and analyze security data from various sources, making it easier to detect, respond to, and manage cybersecurity threats.
It was created through a collaboration of major security vendors (including AWS, Splunk, CrowdStrike, IBM, and others) and released publicly in 2022. The goal is simple but important: security tools from different vendors produce logs in wildly different formats, making correlation and analysis painful. OCSF gives the industry a shared "language" for security events so that data from any source can be normalized into a common structure.
Core Design Principles
Schema-first, not tool-first. OCSF defines what a security event means semantically, not how any particular vendor stores it. A failed login from CrowdStrike and a failed login from Microsoft Entra ID should produce structurally identical OCSF records.
Hierarchical and extensible. The schema is organized into categories and classes. Vendors and organizations can extend it with custom attributes without breaking the base schema.
Universal Fields
These fields are required on every OCSF event, regardless of class:
Field | Description |
|---|---|
| Identifies the event class |
| Identifies the category |
| The specific action that occurred |
| 0=Unknown, 1=Info, 2=Low, 3=Medium, 4=High, 5=Critical |
| When the event occurred |
| Schema version (e.g. |
| Vendor product name |
| Vendor name |
Category and Class Structure
OCSF organizes classes into categories. Each category covers a domain of security telemetry.
Category 2 — Findings
Events generated by security tools as conclusions or alerts, rather than raw activity logs.
Class | UID | Purpose |
|---|---|---|
Vulnerability Finding | 2002 | A weakness detected in a system or control |
Compliance Finding | 2003 | Result of a compliance framework evaluation |
Detection Finding | 2004 | Alert generated by a detection or correlation engine |
Incident Finding | 2005 | Creation, update, or closure of a security incident |
Data Security Finding | 2006 | Alert from DLP, DSPM, or data classification tools |
Category 3 — Identity & Access Management
Events about users, accounts, sessions, and access control.
Class | UID | Purpose |
|---|---|---|
Account Change | 3001 | User account created, deleted, locked, password changed, MFA enabled/disabled |
Authentication | 3002 | Login, logoff, Kerberos TGT/service ticket, pre-authentication |
Authorize Session | 3003 | Privileges or group memberships assigned to a new session |
Entity Management | 3004 | CRUD operations on managed entities (devices, services, configs) |
Group Management | 3006 | Group membership and privilege changes |
Category 4 — Network Activity
Events about network traffic and communication protocols.
Class | UID | Purpose |
|---|---|---|
Network Activity | 4001 | Raw connection open/close/reset/fail events |
HTTP Activity | 4002 | HTTP request/response traffic |
DNS Activity | 4003 | DNS queries and responses |
Email Activity | 4009 | SMTP send/receive, scanning, MTA relay |
Category 5 — Discovery
Events produced by inventory, scanning, and asset discovery processes.
Class | UID | Purpose |
|---|---|---|
Device Inventory Info | 5001 | Host/endpoint inventory records |
User Inventory Info | 5003 | User account inventory records |
OS Patch State | 5004 | Patch installation and KB article tracking |
Software Inventory Info | 5020 | Installed software / SBOM per device |
OSINT Inventory Info | 5021 | Threat intelligence data ingestion |
Cloud Resources Inventory | 5023 | Cloud asset inventory (buckets, DBs, containers) |
Category 6 — Application Activity
Events about application-layer behavior.
Class | UID | Purpose |
|---|---|---|
Web Resources Activity | 6001 | CRUD operations on web resources |
Application Lifecycle | 6002 | App install, start, stop, update |
API Activity | 6003 | API calls (Create, Read, Update, Delete) |
Explore the OCSF schema and DataBee’s extension to it using our Dynamic OCSF Schema Explorer. OCSF has various event categories like System Activity, Findings, IAM (Identity and Access Management), and so on. Click on any category to see more about all the event classes under that category. Each category will contain different event classes. Click on an event class to view the detailed schema, which shows the data fields and their types.
Always note the version number at the top left of the schema page to ensure you're looking at the latest framework.
Select the relevant extension if you need information specific to a certain operating system, such as Linux or Windows, or to view DataBee-specific results.
OCSF offers different profiles, such as Cloud, Container, OSINT (Open Source Intelligence), etc. You can tailor the schema to specific environments by selecting the profiles of your choice.