OCSF 1.3 Schema Reference
AuroraSOC uses OCSF (Open Cybersecurity Schema Framework) version 1.3 as the canonical event schema across all planes.
Required Fields
Every event MUST contain:
| Field | Type | Description |
|---|---|---|
category_uid | int | Event category (0-6) |
class_uid | int | Specific event class |
activity_id | int | Activity within the class |
severity_id | int | Severity (0=Unknown, 1=Info, 2=Low, 3=Medium, 4=High, 5=Critical, 6=Fatal) |
time | string | ISO 8601 timestamp |
metadata | object | Must contain version |
Category UIDs
| UID | Category | Common Classes |
|---|---|---|
| 0 | Uncategorized | Generic events |
| 1 | System Activity | Process Activity (1007), File Activity (1001) |
| 2 | Findings | Detection Finding (2001), Vulnerability Finding (2002) |
| 3 | Identity & Access | Authentication (3002), Authorization (3003) |
| 4 | Network Activity | Network Activity (4001), DNS Activity (4003) |
| 5 | Discovery | Device Inventory (5001) |
| 6 | Application Activity | Web Resource (6002), API Activity (6003) |
Python Validation
from aurorasoc.core.ocsf import validate_ocsf_event, normalize_to_ocsf
# Validate an existing event
result = validate_ocsf_event(event_dict)
if not result.valid:
for error in result.errors:
print(f"ERROR: {error.field} - {error.message}")
# Normalize a raw event to OCSF
ocsf_event = normalize_to_ocsf(raw_event, source="suricata")
Vector Normalization
The Vector ingest pipeline (infra/vector/vector.yaml) performs OCSF normalization at ingestion time using VRL (Vector Remap Language). See the Vector Ingest Pipeline docs.
Endpoint Structures
{
"src_endpoint": {
"ip": "10.0.0.1",
"port": 12345,
"hostname": "workstation-01"
},
"dst_endpoint": {
"ip": "192.168.1.100",
"port": 443,
"hostname": "server.internal"
}
}
Metadata Structure
{
"metadata": {
"version": "1.3.0",
"product": {
"name": "Suricata",
"vendor_name": "OISF"
},
"logged_time": "2026-06-14T12:00:00Z"
}
}