MCP Server
The OCSF Mapping App MCP server enables programmatic access to mapping creation, log segregation, transformation, and validation capabilities through a comprehensive set of tools for automated log normalization workflows.
MCP server for mapping security logs to standardized schemas.
Quickstart
Create an API key at app.ocsf.fleak.ai/settings/api-keys. Then add the server to your MCP client config (see below for your platform-specific setup). There are two main top level workflows available.
Single log type (one mapping)
Use this when all logs are from the same source and you want a single mapping.
- Call
create_mappingwith logs and a spec.schema_typedefaults toocsf. - Poll
get_mapping_statusuntilcompleted. - Use
get_mapping_rules,transform_logs, andvalidate_logs.
Mixed logs (segregate and map)
Use this when logs are mixed/unknown and you want one mapping per log type.
- Call
segregate_logswithraw_contentand aseparator. - Poll
get_segregation_statusuntilCOMPLETED. - Review/edit groups with
update_segregation_group,create_segregation_group, and log reassignment tools. - Create a project with
create_new_project. - Call
create_mappings_from_segregation_groups. - Poll
get_mapping_statusfor each mapper.
Optional: call list_schemas to see additional schemas available to your key.
Agent Skill
We provide a SKILL.md file for agents to use as a structured workflow. It makes the
agent’s work easier by providing a clear, step-by-step playbook for MCP usage.
You can find it here: SKILL.md
Learn more about skills at agentskills.io.
Server Info
| Property | Value |
|---|---|
| Name | Fleak Mapper |
| Transport | HTTP (Stateless) |
| Protocol | MCP (Model Context Protocol) |
Configuration
Claude Desktop / Claude Code
{
"mcpServers": {
"fleak": {
"url": "https://api.ocsf.fleak.ai/mcp",
"type": "http",
"headers": {
"X-API-Key": "<your-api-key>"
}
}
}
}
Cursor
File: ~/.cursor/mcp.json or .cursor/mcp.json
{
"mcpServers": {
"fleak": {
"url": "https://api.ocsf.fleak.ai/mcp",
"headers": {
"X-API-Key": "<your-api-key>"
}
}
}
}
VS Code (Copilot)
File: .vscode/mcp.json
{
"servers": {
"fleak": {
"type": "http",
"url": "https://api.ocsf.fleak.ai/mcp",
"headers": {
"X-API-Key": "<your-api-key>"
}
}
}
}
Windsurf
File: ~/.codeium/windsurf/mcp_config.json
{
"mcpServers": {
"fleak": {
"serverUrl": "https://api.ocsf.fleak.ai/mcp",
"headers": {
"X-API-Key": "<your-api-key>"
}
}
}
}
Gemini CLI
File: ~/.gemini/settings.json
{
"mcpServers": {
"fleak": {
"httpUrl": "https://api.ocsf.fleak.ai/mcp",
"headers": {
"X-API-Key": "<your-api-key>"
}
}
}
}
URL
https://api.ocsf.fleak.ai/mcp
Authentication
All requests require the X-API-Key header. API keys are created and managed at
app.ocsf.fleak.ai.
Response Schema
All tools return a BaseResponse envelope:
{
"data": { },
"error": null
}
When an error occurs, error is populated with:
{
"detail": "Error message",
"errors": "Optional details"
}
Supported Schemas
OCSF is the default schema. For the full list of schemas available to your key, call list_schemas.
Tools
Mapping Workflow
create_mapping
Start mapping generation from logs and spec. Returns mapper_id for polling.
| Parameter | Type | Required | Description |
|---|---|---|---|
logs | list[dict | str] | Yes | Input logs (all JSON objects or all strings for text logs) |
spec | str | Yes | Mapping instructions describing how to transform the logs |
schema_type | str | No | Target schema type. Defaults to ocsf |
schema_version | str | No | Schema version override |
destination_language | str | No | Output rule language (feel, xql). Defaults to feel |
field_level | str | No | Field requirement level: required, recommended, optional. Defaults to recommended |
project_id | UUID | No | Project ID to associate the mapping with |
Response:
{
"data": {
"mapper_id": "uuid"
},
"error": null
}
get_mapping_status
Get current mapping status and error details if failed.
| Parameter | Type | Required | Description |
|---|---|---|---|
mapper_id | UUID | Yes | The mapper ID returned from create_mapping |
Response:
{
"data": {
"mapper_id": "uuid",
"status": "completed",
"error": null
},
"error": null
}
Status values:
initializedgetting_classesmapping_in_progressregeneratingcompletedfailed
get_mapping_rules
Return the mapping expression.
| Parameter | Type | Required | Description |
|---|---|---|---|
mapper_id | UUID | Yes | The mapper ID |
pretty | bool | No | Set to true to prettify the output. Defaults to false |
Response:
{
"data": {
"expression": "..."
},
"error": null
}
transform_logs
Transform input logs using the mapping rules.
| Parameter | Type | Required | Description |
|---|---|---|---|
mapper_id | UUID | Yes | The mapper ID |
logs | list[dict | str] | Yes | Input logs to transform |
Response:
{
"data": [
{
"raw": { },
"transformed": { },
"error": null
}
],
"error": null
}
validate_logs
Validate logs against the target schema using the mapping rules.
| Parameter | Type | Required | Description |
|---|---|---|---|
mapper_id | UUID | Yes | The mapper ID |
logs | list[dict | str] | Yes | Input logs to validate |
Response:
{
"data": [
{
"log_index": 0,
"is_valid": true,
"errors": null,
"warnings": null,
"error_count": 0,
"warning_count": 0
}
],
"error": null
}
regenerate_field_mapping
Regenerate a field mapping using optional feedback.
| Parameter | Type | Required | Description |
|---|---|---|---|
mapper_id | UUID | Yes | The mapper ID |
field_path | str | Yes | Dot-notation path to the field (e.g., actor.user.name) |
feedback | str | No | Instructions for how to improve the mapping |
Response:
{
"data": {
"value": "...",
"explanation": "..."
},
"error": null
}
get_mapping_metadata
Return field-level metadata such as confidence scores and explanations.
| Parameter | Type | Required | Description |
|---|---|---|---|
mapper_id | UUID | Yes | The mapper ID |
Response:
{
"data": {
"field.path": {
"confidence": 0.95,
"explanation": "Mapped from source.field"
}
},
"error": null
}
get_validation_errors
Validate a mapping against its stored logs. Returns errors and warnings grouped by field path.
| Parameter | Type | Required | Description |
|---|---|---|---|
mapper_id | UUID | Yes | The mapper ID |
Response:
{
"data": {
"errors_by_field": { },
"warnings_by_field": { },
"total_errors": 0,
"total_warnings": 0,
"log_count": 0,
"valid_count": 0
},
"error": null
}
get_field_expression
Get a single field's expression and metadata from a mapping.
| Parameter | Type | Required | Description |
|---|---|---|---|
mapper_id | UUID | Yes | The mapper ID |
field_path | str | Yes | Dot-notation path to the field |
Response:
{
"data": {
"field_path": "actor.user.name",
"expression": "...",
"node_type": "PRIMARY",
"explanation": "...",
"confidence": 0.95
},
"error": null
}
test_expression
Test a FEEL expression against logs. If logs are omitted, the mapping's stored logs are used.
| Parameter | Type | Required | Description |
|---|---|---|---|
mapper_id | UUID | Yes | The mapper ID |
expression | str | Yes | FEEL expression to test |
logs | list[dict] | No | Input logs to test against |
Response:
{
"data": {
"results": [
{
"log_index": 0,
"output": "...",
"error": null
}
]
},
"error": null
}
Parser Workflow
generate_parser_config
Start parser config generation from raw logs. Returns task_id for polling.
| Parameter | Type | Required | Description |
|---|---|---|---|
raw_logs | list[str] | Yes | Raw text logs |
seed_parser_config | list[dict] | No | Optional seed parser config |
instructions | str | No | Optional instructions for parser generation |
spec_text | str | No | Optional spec text |
Response:
{
"data": {
"task_id": "uuid",
"status": "pending"
},
"error": null
}
get_parser_generation_status
Get parser generation status and result if completed.
| Parameter | Type | Required | Description |
|---|---|---|---|
task_id | UUID | Yes | The task ID |
Response (completed):
{
"data": {
"task_id": "uuid",
"status": "completed",
"result": {
"parser_config": [],
"success": true,
"confidence": "high",
"reasoning": "...",
"extracted_fields": [],
"iterations": 1
}
},
"error": null
}
parse_logs
Parse logs using parser_config.
| Parameter | Type | Required | Description |
|---|---|---|---|
logs | list[str] | Yes | Raw text logs |
parser_config | list[dict] | Yes | Parser configuration |
Response:
{
"data": [
{ }
],
"error": null
}
Log Segregation Workflow
Segregate a mixed log file into groups, then create mappings per group.
Typical flow: segregate_logs -> poll get_segregation_status -> adjust groups
-> create_new_project -> create_mappings_from_segregation_groups.
segregate_logs
Upload logs and start automatic segregation into groups by log type.
| Parameter | Type | Required | Description |
|---|---|---|---|
raw_content | str | Yes | Combined log content as a single string |
separator | str | Yes | Separator string to split individual logs |
schema_type | str | No | Target schema type. Defaults to ocsf |
schema_version | str | No | Schema version override |
user_instructions | str | No | Optional instructions to guide grouping |
Response:
{
"data": {
"session_id": "uuid",
"status": "PENDING",
"total_logs": 123
},
"error": null
}
get_segregation_status
Get segregation session status, groups, and processing progress.
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | UUID | Yes | The segregation session ID |
Response:
{
"data": {
"id": "uuid",
"status": "COMPLETED",
"groups": [ { } ],
"progress": { },
"unassigned_count": 0
},
"error": null
}
restart_segregation_session
Restart log segregation with new instructions. Returns a new session_id to poll.
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | UUID | Yes | The segregation session ID |
user_instructions | str | No | Updated instructions |
Response:
{
"data": {
"session_id": "uuid",
"status": "PENDING",
"total_logs": 123,
"user_instructions": "..."
},
"error": null
}
update_segregation_group
Update a group's vendor, product, log_type, subtype, or spec.
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | UUID | Yes | The segregation session ID |
group_id | UUID | Yes | Group ID |
vendor | str | No | Vendor name |
product | str | No | Product name |
log_type | str | No | Log type |
subtype | str | No | Log subtype |
spec | str | No | Mapping spec text |
create_segregation_group
Create a manual log group in a segregation session.
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | UUID | Yes | The segregation session ID |
caption | str | Yes | Display name for the group |
description | str | Yes | Description of the group |
vendor | str | Yes | Vendor name |
product | str | Yes | Product name |
log_type | str | Yes | Log type |
patterns | list[str] | Yes | Key patterns for this group |
log_count | int | Yes | Number of logs in the group |
confidence_score | float | Yes | Confidence for this group |
characteristics | dict | Yes | Group characteristics |
sample_logs | list[str] | Yes | Sample logs |
subtype | str | No | Log subtype |
suggested_event_type_id | `str | int` | No |
event_type_name | str | No | Event type name |
schema_mapping_confidence | float | No | Confidence in schema mapping |
get_segregation_group_logs
Get logs assigned to a specific group.
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | UUID | Yes | The segregation session ID |
group_id | UUID | Yes | Group ID |
Response:
{
"data": {
"logs": [
{ "id": "uuid", "content": "...", "index": 0 }
],
"total_count": 1
},
"error": null
}
get_segregation_unassigned_logs
Get logs not assigned to any group.
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | UUID | Yes | The segregation session ID |
Response:
{
"data": {
"logs": [
{ "id": "uuid", "content": "...", "index": 0 }
],
"total_count": 1
},
"error": null
}
remove_segregation_logs
Remove logs from a group. Removed logs become unassigned.
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | UUID | Yes | The segregation session ID |
group_id | UUID | Yes | Group ID |
log_ids | list[UUID] | Yes | Logs to remove |
Response:
{
"data": {
"removed_count": 2,
"new_log_count": 10
},
"error": null
}
move_segregation_logs
Move logs from one group to another.
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | UUID | Yes | The segregation session ID |
group_id | UUID | Yes | Source group ID |
target_group_id | UUID | Yes | Target group ID |
log_ids | list[UUID] | Yes | Logs to move |
Response:
{
"data": {
"moved_count": 2,
"source_log_count": 8,
"target_log_count": 12
},
"error": null
}
assign_segregation_logs
Assign unassigned logs to a group.
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | UUID | Yes | The segregation session ID |
group_id | UUID | Yes | Group ID |
log_ids | list[UUID] | Yes | Logs to assign |
Response:
{
"data": {
"assigned_count": 2,
"new_log_count": 12
},
"error": null
}
create_mappings_from_segregation_groups
Create mappings from selected segregation groups. Each group becomes a separate mapping.
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | UUID | Yes | The segregation session ID |
group_ids | list[UUID] | Yes | Group IDs |
project_id | UUID | Yes | Project ID |
process_now | bool | No | Start processing immediately or create as pending |
schema_type | str | No | Override session schema_type |
schema_version | str | No | Override session schema_version |
field_level | str | No | Field requirement level |
Response:
{
"data": {
"created_mappings": [
{ "mapper_id": "uuid", "name": "...", "status": "processing" }
]
},
"error": null
}
Projects
create_new_project
Create a new project to organize mappings.
| Parameter | Type | Required | Description |
|---|---|---|---|
name | str | Yes | Project name |
description | str | No | Project description |
Response:
{
"data": {
"project_id": "uuid",
"name": "My Project"
},
"error": null
}
Schema Discovery
list_schemas
List schema types available to the API key.
Response:
{
"data": [
{
"name": "ocsf",
"display_name": "OCSF",
"description": "...",
"version": "latest"
}
],
"error": null
}
get_schema_info
Get metadata, terminology, and capabilities for a schema.
| Parameter | Type | Required | Description |
|---|---|---|---|
schema_type | str | Yes | Schema type (e.g., ocsf) |
Response:
{
"data": {
"id": "ocsf",
"name": "OCSF",
"description": "...",
"version": "latest",
"terminology": {
"event_type": "class",
"event_types": "classes"
},
"capabilities": {
"needs_classification": true
},
"event_type_field_name": "class_uid"
},
"error": null
}
get_schema_versions
List available versions for a schema.
| Parameter | Type | Required | Description |
|---|---|---|---|
schema_type | str | Yes | Schema type |
Response:
{
"data": ["1.6.0", "1.5.0", "1.4.0", "1.3.0"],
"error": null
}
get_schema_event_types
List available event types for a schema version.
| Parameter | Type | Required | Description |
|---|---|---|---|
schema_type | str | Yes | Schema type |
version | str | No | Schema version. Defaults to latest |
search_schema_event_types
Search event types by id or display name for a schema version.
| Parameter | Type | Required | Description |
|---|---|---|---|
schema_type | str | Yes | Schema type |
q | str | Yes | Search query |
version | str | No | Schema version. Defaults to latest |
get_field_definition
Get schema field definition including type, description, enum values, and child fields.
| Parameter | Type | Required | Description |
|---|---|---|---|
schema_type | str | Yes | Schema type |
field_path | str | Yes | Dot-notation path to the field |
event_type_id | str | No | Event type ID (required for OCSF) |
version | str | No | Schema version |
Notes
- Mapping generation and validation can take 1-2 minutes depending on complexity.
- Logs must be homogeneous: either all JSON objects or all strings.
- For segregation mappings,
process_now=truerequires auto-generation to be enabled for your account.