Elixir library modelling the Open Cybersecurity Schema Framework (OCSF 1.8).
Provides structs, enums, and helpers that map to the
OCSF 1.8.0 specification. Use this
module as the top-level entry point for schema version information.
Persistence-agnostic core with optional Postgres (ocsf_ecto) and
ClickHouse (ocsf_clickhouse) sinks.
See OCSF.Category, OCSF.Class, OCSF.Activity, OCSF.Severity,
OCSF.Status, and OCSF.Classification for the core enums and taxonomy.
Summary
Functions
Reconstruct an %OCSF.Event{} from a nested OCSF map.
Apply a sink policy to an event, returning a redacted event.
Serialize an %OCSF.Event{} to OCSF-compliant JSON iodata.
Convert an %OCSF.Event{} to an OCSF-compliant nested map.
Validate an %OCSF.Event{} structurally.
Return the OCSF schema version this library targets.
Functions
@spec from_map(map()) :: {:ok, OCSF.Event.t()} | {:error, OCSF.Error.t()}
Reconstruct an %OCSF.Event{} from a nested OCSF map.
Delegates to OCSF.Event.from_map/1.
@spec redact(OCSF.Event.t(), OCSF.Policy.t()) :: OCSF.Event.t()
Apply a sink policy to an event, returning a redacted event.
Delegates to OCSF.Policy.apply/2.
@spec to_json(OCSF.Event.t()) :: iodata()
Serialize an %OCSF.Event{} to OCSF-compliant JSON iodata.
@spec to_map(OCSF.Event.t()) :: map()
Convert an %OCSF.Event{} to an OCSF-compliant nested map.
Nil fields are omitted. Integer UIDs are emitted as-is; their
corresponding _name labels are added alongside per OCSF convention.
Delegates to OCSF.Serializer.to_map/1.
@spec validate(OCSF.Event.t()) :: {:ok, OCSF.Event.t()} | {:error, OCSF.Error.t()}
Validate an %OCSF.Event{} structurally.
Runs a 12-step check (SPEC §10): metadata presence, version, product, category/class/type consistency, activity/status/severity validity, time format, and class-specific required fields.
Returns {:ok, event} on success or {:error, %OCSF.Error{}} on
the first failure.
@spec version() :: String.t()
Return the OCSF schema version this library targets.
Examples
iex> OCSF.version()
"1.8.0"