Data Model Primer

What is OCSF?

The Open Cybersecurity Schema Framework (OCSF) is a vendor-neutral schema for representing security telemetry. Every FSQL query operates on OCSF events — regardless of which data source the data comes from, it is normalized into OCSF before you see it.

This means you write one query and it works across Splunk, CrowdStrike, Okta, AWS CloudTrail, Microsoft Sentinel, and any other connected platform. You don't need to know the native field names of each source.

Primer vs. Reference: Use this page to learn how the model is organized and how to build queries quickly. Use [Query Data Model Reference](../Query Data Model Reference/about-the-query-data-model) for the complete, field-level source of truth (events, objects, types, categories, and enum values).

Event Classes

OCSF organizes security data into event classes. Each class represents a type of activity. Here are the ones you'll use most often:

Event Class	Description	Example Use
`authentication`	Login and authentication events	Failed logins, MFA challenges, SSO activity
`process_activity`	Process creation, termination, injection	Suspicious command lines, malware execution
`network_activity`	Network connections and flows	Lateral movement, C2 traffic, unusual ports
`dns_activity`	DNS queries and responses	Domain lookups, DNS tunneling, DGA detection
`http_activity`	HTTP requests and responses	Web shell access, API abuse, user-agent anomalies
`file_activity`	File create, modify, delete, read	Ransomware behavior, data staging, dropper activity
`email_activity`	Email send, receive, scan	Phishing campaigns, BEC, exfiltration via email
`detection_finding`	Alerts and detections from security tools	Correlating alerts across EDR, SIEM, cloud
`account_change`	Account create, modify, delete	Privilege escalation, unauthorized account creation
`api_activity`	API calls (especially cloud)	Cloud enumeration, IAM changes, resource creation
`ssh_activity`	SSH sessions	Remote access, tunneling, lateral movement
`inventory_info`	Asset and device inventory	Compliance checks, asset lookups

Event Categories

Events are grouped into categories. Use the # selector to query an entire category at once:

Category	Events Included
`#network`	`network_activity`, `dns_activity`, `http_activity`, `ssh_activity`, and more
`#iam`	`authentication`, `account_change`, `authorize_session`, and more
`#findings`	`detection_finding`, `security_finding`, `vulnerability_finding`
`#application`	`api_activity`, `web_resources_activity`, and more

QUERY #network.**
WITH #network.status_id = FAILURE

Anatomy of an OCSF Path

Every field in FSQL is addressed by an OCSF path:

event_class.object.attribute

For example:

Path	Meaning
`authentication.user.username`	The username from an authentication event
`network_activity.dst_endpoint.ip`	The destination IP of a network connection
`process_activity.process.cmd_line`	The command line of a spawned process
`detection_finding.evidences.file.hashes.value`	A file hash from alert evidence

Objects can be nested. The src_endpoint and dst_endpoint objects appear in many event classes and always have the same structure (IP, port, hostname, etc.), which is what makes cross-source querying work.

Discovering Available Fields

Use EXPLAIN commands to explore the schema without running a search:

See what fields an attribute selector expands to

EXPLAIN ATTRIBUTES authentication.*

Get the schema definition for specific fields

EXPLAIN SCHEMA network_activity.dst_endpoint.ip

List your available connectors and what events they support

EXPLAIN CONNECTORS

Each connector in the output carries an alias (a stable, immutable identifier) and any tags that group it with related connectors. Both can be used as references in a FROM clause — see Data Sources (FROM).

For full details on these commands, see Other Commands.

Finding Valid Enumeration Values

Many OCSF fields are enumerations (enum) such as status_id, activity_id, severity_id, and os.type_id. In FSQL, enum values are written as tokens (for example FAILURE, LOGON, MACOS) and usually do not need quotes.

Use this workflow when you are not sure which enum value is valid:

Identify the exact OCSF field path in your query (for example authentication.device.os.type_id).
Open [Query Data Model Reference](../Query Data Model Reference/about-the-query-data-model).
Go to the matching event and object page (for example authentication -> device -> os).
Find the field and review its documented enum values.

Use EXPLAIN SCHEMA <path> to confirm that a field is an enum in your current environment, then use Query Data Model Reference as the authoritative list of valid values.

EXPLAIN SCHEMA authentication.device.os.type_id

Mapping Common Security Concepts to OCSF

When investigating, you often think in terms of security concepts rather than field names. Here's how those concepts map to OCSF paths:

Security Concept	OCSF Path(s)	Entity Shortcut
Source IP	`*.src_endpoint.ip`	`%ip`
Destination IP	`*.dst_endpoint.ip`	`%ip`
Destination port	`*.dst_endpoint.port`	`%port`
Username	`.user.username`, `.user.name`	`%username`
Email address	`.user.email_addr`, `.email.from`	`%email`
Hostname	`.device.hostname`, `.src_endpoint.hostname`	`%hostname`
File hash (any algorithm)	`.file.hashes.value`, `.process.file.hashes.value`	`%hash`
Command line	`*.process.cmd_line`	`%command_line`
Process name	`*.process.name`	`%processname`
File name	`*.file.name`	`%filename`
URL	`*.url`	`%url`
Country	`*.location.country`	`%country`

Tip: When you're unsure of the exact path, start with an entity shortcut (%ip, %username, etc.). It searches all mapped fields of that type across the schema, and many connectors have optimizations for entity searches. You can refine to specific paths later if you need precision.

Next Steps

Entities — full list of entity (observable) shortcuts available in FSQL.
Attribute Selectors — wildcards, path expansions, and filters for targeting exactly the fields you need.
Query Syntax Reference — how to build queries using OCSF paths.