The Open Cybersecurity Schema Framework (OCSF) captures the information that is most meaningful for security use cases and applications.

You can create an Ingest Processor pipeline that converts your data from a raw text format to the Open Cybersecurity Schema Framework (OCSF) format.

OCSF is a framework that defines standardized schemas for cybersecurity events. These schemas capture the information from your event data that is most meaningful for security use cases such as threat detection. The information gets stored in a JSON-like object format that is normalized to be agnostic of data source and storage method. By converting your data to OCSF format, you ensure that the data can be used effectively in security applications such as Splunk Enterprise Security.

To learn more about how to work with OCSF data, see the following pages:

• For information about the Ingest Processor converts the data and how the output is affected by certain configuration settings, see OCSF data conversion process.

• For a list of the source types and event types that the Ingest Processor supports for converting data into OCSF format, see Supported source types and event types.

• For a high-level overview of how to configure the Splunk platform and Splunk Enterprise Security to work with OCSF data, see Working with OCSF-formatted data in the Splunk platform and Splunk Enterprise Security.

• For instructions on how to configure an Ingest Processor pipeline that converts incoming data to OCSF format, see Convert data in the “_raw” field to OCSF format and Convert data in a specified event field to OCSF format.