v1.9.0-dev
v1.8.0
v1.7.0
v1.6.0
v1.5.0
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.0
v1.0.0-rc.3
v1.0.0-rc.2
Changelog
Extensions
Linux [1]v1.8.0
Windows [2]v1.8.0
macOS [3]v1.8.0
Profiles
AI Operation
Cloud
Container
Data Classification
Date/Time
Host
Incident
Linux Users
Load Balancer
Network Proxy
OSINT
Security Control
Trace
macOS Users
Options
Dark mode
Compact view
Show deprecated
Categories
Classes
Dictionary
Objects
Profiles
Observable
Base Event
Data Types
|
Resources
API Documentation
Understanding OCSF
FAQ
Example Mappings
Fork Me on GitHub
Contributing to OCSF
Categories
The OCSF categories organize event classes, each aligned with a specific domain or area of focus.
System Activity
[1]
File System Activity
[1001]
Kernel Extension Activity
[1002]
Kernel Activity
[1003]
Memory Activity
[1004]
Module Activity
[1005]
Scheduled Job Activity
[1006]
Process Activity
[1007]
Event Log Activity
[1008]
Script Activity
[1009]
Peripheral Activity
[1010]
Findings
[2]
Security Finding
[2001]
D
Vulnerability Finding
[2002]
Compliance Finding
[2003]
Detection Finding
[2004]
Incident Finding
[2005]
Data Security Finding
[2006]
Application Security Posture Finding
[2007]
IAM Analysis Finding
[2008]
Identity & Access Management
[3]
Account Change
[3001]
Authentication
[3002]
Authorize Session
[3003]
Entity Management
[3004]
User Access Management
[3005]
Group Management
[3006]
Network Activity
[4]
Network Activity
[4001]
HTTP Activity
[4002]
DNS Activity
[4003]
DHCP Activity
[4004]
RDP Activity
[4005]
SMB Activity
[4006]
SSH Activity
[4007]
FTP Activity
[4008]
Email Activity
[4009]
Network File Activity
[4010]
D
Email File Activity
[4011]
D
Email URL Activity
[4012]
D
NTP Activity
[4013]
Tunnel Activity
[4014]
Discovery
[5]
Device Inventory Info
[5001]
Device Config State
[5002]
D
User Inventory Info
[5003]
Operating System Patch State
[5004]
Kernel Object Query
[5006]
D
File Query
[5007]
D
Folder Query
[5008]
D
Admin Group Query
[5009]
D
Job Query
[5010]
D
Module Query
[5011]
D
Network Connection Query
[5012]
D
Networks Query
[5013]
D
Peripheral Device Query
[5014]
D
Process Query
[5015]
D
Service Query
[5016]
D
User Session Query
[5017]
D
User Query
[5018]
D
Device Config State Change
[5019]
Software Inventory Info
[5020]
OSINT Inventory Info
[5021]
Startup Item Query
[5022]
D
Cloud Resources Inventory Info
[5023]
Live Evidence Info
[5040]
Application Activity
[6]
Web Resources Activity
[6001]
Application Lifecycle
[6002]
API Activity
[6003]
Web Resource Access Activity
[6004]
D
Datastore Activity
[6005]
File Hosting Activity
[6006]
Scan Activity
[6007]
Application Error
[6008]
Remediation
[7]
Remediation Activity
[7001]
File Remediation Activity
[7002]
Process Remediation Activity
[7003]
Network Remediation Activity
[7004]
Unmanned Systems
[8]
Drone Flights Activity
[8001]
Airborne Broadcast Activity
[8002]