Skip to main content

Using Templates

Quick Demo

Watch this short video to see how to use templates in the OCSF Mapping App:

What are Templates?

Templates in the OCSF Mapping App are pre-configured mappings for common log sources. They provide an excellent starting point for new users and help accelerate the mapping process. Each template includes:

  • Sample logs from the specific log source
  • Pre-configured parsing rules (if needed)
  • Mapping rules to OCSF format
  • Documentation about the log format

Available Templates

We are constantly updating the template library with help from the OCSF community:

  • AWS CloudTrail
  • GitHub Audit Logs
  • Cisco ASA
  • Windows Event Logs
  • Zeek
  • And many more...

Creating a Mapping from a Template

To create a new mapping from a template:

  1. Click the "New Mapping" button from your project dashboard
  2. Select "From Template" from the options presented
New Mapping Options
  1. Browse through the available templates
  2. Select the template that matches your log source
Create Mapping from Templates

Working with Templates

Once you've selected a template:

  1. Review the Sample Logs: Each template includes example logs that demonstrate the expected format
  2. Test with Your Logs: You can add your own logs to verify the mapping works correctly
  3. Customize as Needed: Templates are fully editable - you can modify parsing rules and mapping configurations to match your specific needs

Adding Your Own Logs

To test the template with your logs:

  1. Navigate to the "Logs" tab in the mapping editor
  2. Click the "+" icon to add new log entries
  3. Paste your log samples
  4. Verify the parsing and mapping results
Mapping Rules Editor Logs Tab

Modifying Template Rules

If you need to adjust the template:

  1. Go to the "Rules" tab
  2. Use either Visual Mode or Code Mode to modify the rules
  3. Test your changes with sample logs
Mapping Rules Editor

Best Practices for Using Templates

  1. Start with the Closest Match: Choose the template that most closely matches your log source
  2. Verify with Your Logs: Always test the template with your actual logs before deploying
  3. Document Changes: Keep track of any modifications you make to the template
  4. Share Improvements: If you enhance a template, consider contributing back to the template library

Downloading and Using the Mapping

Once you've customized the template to your needs:

  1. Click the "Download Expression" button
  2. The mapping configuration can be directly used with ZephFlow
  3. For implementation guidance, refer to the ZephFlow Cisco ASA to OCSF tutorial

Need Help?

If you can't find a template for your log source or need assistance:

  1. Check the JSON Mapping Guide for creating mappings from scratch
  2. Review the Text Mapping Guide for handling unstructured logs
  3. Contact support for assistance with specific log formats