Solutions

/

Use Case

/

Data Normalization (OCSF)

Use Case

/

Data Normalization (OCSF)

One schema to rule them all

One schema to rule them all

Normalize security telemetry to OCSF in real-time. Break down vendor silos and enable cross-tool correlation with a universal, open security schema backed by AWS, Splunk, IBM, and 100+ vendors.

Request Live Demo

Request Live Demo

Request Live Demo

OCSF 1.3

Schema coverage

OCSF 1.3

Schema coverage

OCSF 1.3

Schema coverage

100+

Vendor formats mapped

100+

Vendor formats mapped

100+

Vendor formats mapped

Real-time

Normalization latency

Real-time

Normalization latency

The Problem

The proprietary schema lock-in

The proprietary schema lock-in

Every security tool speaks its own language, from Splunk CIM to Microsoft ASIM. This fragmentation creates silos that lock you into proprietary ecosystems. Switching SIEMs becomes a nightmare, as it requires rebuilding every rule, dashboard, and report from scratch, draining your team's time.
The Solution
The Solution
The Solution

Normalize once, use everywhere

Tenzir transforms proprietary vendor formats into OCSF as data flows through your pipeline. Write normalized data to any destination and enable true vendor-agnostic security analytics. When you change SIEMs (and you will) your data and rules come with you.
Native OCSF support

Map any vendor format to OCSF with built-in transformations. Full coverage of OCSF event classes: Network Activity, Security Finding, Authentication, System Activity, and more.

Native OCSF support

Map any vendor format to OCSF with built-in transformations. Full coverage of OCSF event classes: Network Activity, Security Finding, Authentication, System Activity, and more.

Native OCSF support

Map any vendor format to OCSF with built-in transformations. Full coverage of OCSF event classes: Network Activity, Security Finding, Authentication, System Activity, and more.

Bi-directional mapping

Convert to OCSF for storage and analytics, then transform back to vendor-specific formats when routing to tools that expect their native schema. Best of both worlds.

Bi-directional mapping

Convert to OCSF for storage and analytics, then transform back to vendor-specific formats when routing to tools that expect their native schema. Best of both worlds.

Bi-directional mapping

Convert to OCSF for storage and analytics, then transform back to vendor-specific formats when routing to tools that expect their native schema. Best of both worlds.

Schema evolution

Stay current as OCSF evolves. Tenzir tracks schema versions and handles migrations automatically. Your pipelines don't break when OCSF 1.4 ships.

Schema evolution

Stay current as OCSF evolves. Tenzir tracks schema versions and handles migrations automatically. Your pipelines don't break when OCSF 1.4 ships.

Schema evolution

Stay current as OCSF evolves. Tenzir tracks schema versions and handles migrations automatically. Your pipelines don't break when OCSF 1.4 ships.

Deep Dive
Deep Dive
Deep Dive

The universal translator for security schemas

Tenzir transforms proprietary vendor formats into OCSF as data flows through your pipeline. Write normalized data to any destination and enable true vendor-agnostic security analytics. When you change SIEMs (and you will) your data and rules come with you.

from file "/var/log/suricata/*.json"
| where event_type ! = "stats"
| where alert.severity > 2
| publish suricata-alerts
| to splunk

from file "/var/log/suricata/*.json"
| where event_type ! = "stats"
| where alert.severity > 2
| publish suricata-alerts
| to splunk

from file "/var/log/suricata/*.json"
| where event_type ! = "stats"
| where alert.severity > 2
| publish suricata-alerts
| to splunk

Why Tenzir delivers true normalization

SIEM-specific schemas (CIM, ASIM, ECS)

Most SIEMs have limited validation. Bad data gets indexed, consuming license and corrupting analytics. You find out during an investigation, when a rule should have fired but didn't.

Vendor-specific, not universal
No portability between tools
Detection rules tied to schema

Tenzir normalizes to OCSF: an open, vendor-neutral standard. Your data becomes truly portable. Detection rules written against OCSF work regardless of which SIEM you're using today or tomorrow.

Open standard (OCSF)
Full vendor portability
Future-proof investment
Integrations

Normalize any source to OCSF

Built-in mappings for CrowdStrike, Palo Alto, Okta, AWS CloudTrail, Microsoft Defender, Cisco, Fortinet, Zscaler, and 100+ more vendor formats. Output to any destination in OCSF or convert back to vendor schemas as needed.

View all integrations

Integrations

Normalize any source to OCSF

Built-in mappings for CrowdStrike, Palo Alto, Okta, AWS CloudTrail, Microsoft Defender, Cisco, Fortinet, Zscaler, and 100+ more vendor formats. Output to any destination in OCSF or convert back to vendor schemas as needed.

View all integrations

Integrations

Normalize any source to OCSF

Built-in mappings for CrowdStrike, Palo Alto, Okta, AWS CloudTrail, Microsoft Defender, Cisco, Fortinet, Zscaler, and 100+ more vendor formats. Output to any destination in OCSF or convert back to vendor schemas as needed.

View all integrations

Break free from

schema fragmentation

Stop letting proprietary formats dictate your security architecture. Normalize to OCSF with Tenzir and unlock true data portability.

Request Live Demo

Explore Tenzir on your own

Start instantly with the Tenzir Community Edition. Log in to get hands-on with core features.

Start for free

Read tutorial and guides

Our docs come with tutorials, explanations, and a rich reference. Everything you need to start.

Open docs

Join the community

Share your thoughts and questions with our community of security and data enthusiasts.

Join our Discord

Break free from

schema fragmentation

Stop letting proprietary formats dictate your security architecture. Normalize to OCSF with Tenzir and unlock true data portability.

Request Live Demo

Explore Tenzir on your own

Start instantly with the Tenzir Community Edition. Log in to get hands-on with core features.

Start for free

Read tutorial and guides

Our docs come with tutorials, explanations, and a rich reference. Everything you need to start.

Open docs

Join the community

Share your thoughts and questions with our community of security and data enthusiasts.

Join our Discord

Break free from

schema fragmentation

Stop letting proprietary formats dictate your security architecture. Normalize to OCSF with Tenzir and unlock true data portability.

Request Live Demo

Explore Tenzir on your own

Start instantly with the Tenzir Community Edition. Log in to get hands-on with core features.

Start for free

Read tutorial and guides

Our docs come with tutorials, explanations, and a rich reference. Everything you need to start.

Open docs

Join the community

Share your thoughts and questions with our community of security and data enthusiasts.

Join our Discord

Product

Overview

Integrations

Library

Comparisons

Resources

Blog

Events

Sheets & Briefs

Documentation

Changelog

Company

About Tenzir

Partners

Leadership

Founding Story

Press Releases

Contact

Social

LinkedIn

GitHub

Discord

Bluesky

X

© 2025 Tenzir GmbH. All rights reserved.

Legal Notice

Terms and Conditions

Privacy Statement

Product

Overview

Integrations

Library

Comparisons

Resources

Blog

Events

Sheets & Briefs

Documentation

Changelog

Company

About Tenzir

Partners

Leadership

Founding Story

Press Releases

Contact

Social

LinkedIn

GitHub

Discord

Bluesky

X

© 2025 Tenzir GmbH. All rights reserved.

Legal Notice

Terms and Conditions

Privacy Statement

Product

Overview

Integrations

Library

Comparisons

Resources

Blog

Events

Sheets & Briefs

Documentation

Changelog

Company

About Tenzir

Partners

Leadership

Founding Story

Press Releases

Contact

Social

LinkedIn

GitHub

Discord

Bluesky

X

© 2025 Tenzir GmbH. All rights reserved.

Legal Notice

Terms and Conditions

Privacy Statement