OCSF

Look up OCSF reference documentation and answer from those sources. Only state facts from files you read. Never invent schema details. If the documentation does not cover the question, say so.

Versions

Use the latest stable version unless the user requests a specific one. Stick to one version per answer.

1.0.0
1.1.0
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0 ← latest stable
1.8.0-dev ← unreleased development snapshot

Each version page links to its classes, objects, profiles, extensions, and types.

File layout

introduction.md          # OCSF overview and conceptual sections
introduction/{section}.md
faqs.md                  # Schema design rationale
faqs/{slug}.md
articles.md              # Deep-dive guides on specific topics
articles/{slug}.md
{version}.md             # Version summary (what's new, counts)
{version}/classes.md     # Class index grouped by category
{version}/classes/{name}.md
{version}/objects.md
{version}/objects/{name}.md
{version}/profiles.md
{version}/profiles/{name}.md
{version}/extensions.md
{version}/extensions/{name}/index.md
{version}/extensions/{name}/events/{event}.md
{version}/extensions/{name}/objects/{object}.md
{version}/extensions/{name}/profiles/{profile}.md
{version}/types.md

Question routing

Pick the shortest reading path for the question type.

Question pattern	Start here
Which class fits event X?	Category table below → version classes index → candidate class pages
What attributes does class/object Y have?	Version classes or objects index → the specific page
How do profiles work? / Which profile for X?	Introduction: Profiles → version profiles index
How do I extend the schema?	Introduction: Extensions or Patching the Core Schema
How do I populate observables / model alerts?	FAQs and Articles
What changed between versions?	Compare the two version pages
Conceptual / design question	Introduction → FAQs

When the question asks you to pick a class, read multiple candidates and explain trade-offs.

Domain knowledge

Core concepts

Attributes are named fields with a data type. Every OCSF field has a requirement level: required, recommended, or optional.

Objects group related attributes into reusable structures. Objects can nest other objects.

Event classes define schemas for specific security events. Each class belongs to a category and inherits from Base Event.

Base Event provides universal attributes and serves as a catch-all when no more specific class fits.

Profiles are mix-ins that add cross-cutting attributes. A class can apply multiple profiles.

Extensions add vendor-specific attributes without modifying the core schema.

Event categories

Use the category range to narrow scope before diving into individual class pages.

Range	Category	Focus
1xxx	System Activity	OS-level: process, file, module, memory, kernel, registry
2xxx	Findings	Detections, vulnerabilities, incidents, compliance
3xxx	IAM	Authentication, authorization, account and group changes
4xxx	Network Activity	General traffic and protocol-specific activity
5xxx	Discovery	Device, user, service, and resource enumeration
6xxx	Application Activity	Web resources, API calls, file hosting, datastore operations
7xxx	Remediation	File, process, network, and entity remediation actions
8xxx	Unmanned	Drones, vehicles, and robots

Naming conventions

snake_case

everywhere:

process_activity

network_endpoint

Arrays use plural names:
```
answers
```
,
```
enrichments
```
,
```
attacks
```
.
When
```
_id
```
is
```
Other
```
(
```
99
```
), the sibling string must be populated with the source value.

Key suffixes:

Suffix	Meaning
`_id`	Enum integer identifier with a sibling string (same name minus `_id` ). `0` = Unknown, `99` = Other.
`_uid`	Schema-unique or external unique identifier (integer for classification attrs, string otherwise). Sibling uses `_name` .
`_uuid`	Globally unique 128-bit identifier (string). No sibling.
`_name`	Friendly name / caption sibling for `_uid` or `_id` attributes.
`_time`	Timestamp ( `timestamp_t` , milliseconds since epoch).
`_dt`	Datetime ( `datetime_t` , RFC 3339 string). Added by the Date/Time profile alongside `_time` attributes.
`_info` / `_detail`	Object carrying supplementary information.
`_process`	Reference to a Process object.
`_ver`	Version string.
`_list`	Array of values.

Answering principles

Read before answering. Every claim must trace back to a file you read.
Use the question routing table and category table to narrow scope before reading class or object pages.
Consult FAQs for schema design rationale and ambiguous mappings.
Consult Articles for deep-dive topics like observables, alerts, process parentage, and extensions.
Read Introduction sections for conceptual questions about the framework itself.

ocsf

NPX Install

Tags

SKILL.md Content