Location via proxy:
[Report a bug]
[Manage cookies]
No cookies
No scripts
No ads
No referrer
Show this form
OCSF Schema
v1.0.0
v1.0.0-rc.2
v1.0.0-rc.3
v1.1.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0-dev
Extensions
Linux [1]v1.4.0
Windows [2]v1.4.0
Profiles
Cloud
Container
Data Classification
Date/Time
Host
Incident
Linux Users
Load Balancer
Network Proxy
OSINT
Security Control
Trace
Categories
Classes
Base Event
Dictionary
Objects
Observable
|
Resources
Understanding OCSF
Example Mappings
Contributing to OCSF
Fork Me on GitHub
OCSF Data Types
API Documentation
JSON Schema
Schema
Sample
Categories
The OCSF categories organize event classes, each aligned with a specific domain or area of focus.
System Activity
[1]
Findings
[2]
Identity & Access Management
[3]
Network Activity
[4]
Discovery
[5]
Application Activity
[6]
Remediation
[7]
Unmanned Systems
[8]
File System Activity
[1001]
Kernel Extension Activity
[1002]
Kernel Activity
[1003]
Memory Activity
[1004]
Module Activity
[1005]
Scheduled Job Activity
[1006]
Process Activity
[1007]
Event Log Activity
[1008]
Script Activity
[1009]
Security Finding
[2001]
D
Vulnerability Finding
[2002]
Compliance Finding
[2003]
Detection Finding
[2004]
Incident Finding
[2005]
Data Security Finding
[2006]
Account Change
[3001]
Authentication
[3002]
Authorize Session
[3003]
Entity Management
[3004]
User Access Management
[3005]
Group Management
[3006]
Network Activity
[4001]
HTTP Activity
[4002]
DNS Activity
[4003]
DHCP Activity
[4004]
RDP Activity
[4005]
SMB Activity
[4006]
SSH Activity
[4007]
FTP Activity
[4008]
Email Activity
[4009]
Network File Activity
[4010]
D
Email File Activity
[4011]
D
Email URL Activity
[4012]
D
NTP Activity
[4013]
Tunnel Activity
[4014]
Device Inventory Info
[5001]
Device Config State
[5002]
User Inventory Info
[5003]
Operating System Patch State
[5004]
Kernel Object Query
[5006]
File Query
[5007]
Folder Query
[5008]
Admin Group Query
[5009]
Job Query
[5010]
Module Query
[5011]
Network Connection Query
[5012]
Networks Query
[5013]
Peripheral Device Query
[5014]
Process Query
[5015]
Service Query
[5016]
User Session Query
[5017]
User Query
[5018]
Device Config State Change
[5019]
Software Inventory Info
[5020]
OSINT Inventory Info
[5021]
Startup Item Query
[5022]
Cloud Resources Inventory Info
[5023]
Web Resources Activity
[6001]
Application Lifecycle
[6002]
API Activity
[6003]
Web Resource Access Activity
[6004]
D
Datastore Activity
[6005]
File Hosting Activity
[6006]
Scan Activity
[6007]
Application Error
[6008]
Remediation Activity
[7001]
File Remediation Activity
[7002]
Process Remediation Activity
[7003]
Network Remediation Activity
[7004]
Drone Flights Activity
[8001]
Airborne Broadcast Activity
[8002]