v1.8.0-dev-server-beta
v1.8.0-dev
v1.7.0
v1.7.0-server-beta
v1.6.0
v1.6.0-server-beta
v1.5.0
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.0
v1.0.0-rc.3
v1.0.0-rc.2
Changelog
Extensions
Linux [1]v1.7.0
Windows [2]v1.7.0
Profiles
Cloud
Container
Data Classification
Date/Time
Host
Incident
Linux Users
Load Balancer
Network Proxy
OSINT
Security Control
Trace
Options
Show deprecated items
Categories
Classes
Dictionary
Objects
Observable
Base Event
Data Types
|
Resources
API Documentation
Understanding OCSF
FAQ
Example Mappings
Fork Me on GitHub
Contributing to OCSF
Categories
The OCSF categories organize event classes, each aligned with a specific domain or area of focus.
System Activity
[1]
File System Activity
[1001]
Kernel Extension Activity
[1002]
Kernel Activity
[1003]
Memory Activity
[1004]
Module Activity
[1005]
Scheduled Job Activity
[1006]
Process Activity
[1007]
Event Log Activity
[1008]
Script Activity
[1009]
Peripheral Activity
[1010]
Findings
[2]
Security Finding
[2001]
D
Vulnerability Finding
[2002]
Compliance Finding
[2003]
Detection Finding
[2004]
Incident Finding
[2005]
Data Security Finding
[2006]
Application Security Posture Finding
[2007]
IAM Analysis Finding
[2008]
Identity & Access Management
[3]
Account Change
[3001]
Authentication
[3002]
Authorize Session
[3003]
Entity Management
[3004]
User Access Management
[3005]
Group Management
[3006]
Network Activity
[4]
Network Activity
[4001]
HTTP Activity
[4002]
DNS Activity
[4003]
DHCP Activity
[4004]
RDP Activity
[4005]
SMB Activity
[4006]
SSH Activity
[4007]
FTP Activity
[4008]
Email Activity
[4009]
Network File Activity
[4010]
D
Email File Activity
[4011]
D
Email URL Activity
[4012]
D
NTP Activity
[4013]
Tunnel Activity
[4014]
Discovery
[5]
Device Inventory Info
[5001]
Device Config State
[5002]
D
User Inventory Info
[5003]
Operating System Patch State
[5004]
Kernel Object Query
[5006]
D
File Query
[5007]
D
Folder Query
[5008]
D
Admin Group Query
[5009]
D
Job Query
[5010]
D
Module Query
[5011]
D
Network Connection Query
[5012]
D
Networks Query
[5013]
D
Peripheral Device Query
[5014]
D
Process Query
[5015]
D
Service Query
[5016]
D
User Session Query
[5017]
D
User Query
[5018]
D
Device Config State Change
[5019]
Software Inventory Info
[5020]
OSINT Inventory Info
[5021]
Startup Item Query
[5022]
D
Cloud Resources Inventory Info
[5023]
Live Evidence Info
[5040]
Application Activity
[6]
Web Resources Activity
[6001]
Application Lifecycle
[6002]
API Activity
[6003]
Web Resource Access Activity
[6004]
D
Datastore Activity
[6005]
File Hosting Activity
[6006]
Scan Activity
[6007]
Application Error
[6008]
Remediation
[7]
Remediation Activity
[7001]
File Remediation Activity
[7002]
Process Remediation Activity
[7003]
Network Remediation Activity
[7004]
Unmanned Systems
[8]
Drone Flights Activity
[8001]
Airborne Broadcast Activity
[8002]