de en es ja ko ru zh

Tenzir MCP Server

Official

by tenzir

Overview Schema Related Servers Score Discussions

Python

Local

Add OCSF mapping to parser

make_ocsf_mapping

Idempotent

Map security logs to the OCSF standard to normalize data from multiple sources into a common schema, making it compatible with OCSF-aware tools.

Instructions

Add OCSF mapping to a TQL parsing pipeline.

Use this tool when:

You need to map security logs to the OCSF standard
You're normalizing data from multiple sources into a common schema
You want to make your data compatible with OCSF-aware tools
You need guidance on OCSF class selection and field mapping

Follow the workflow instructions provided in the response.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`sample`	Yes	Sample log events to generate OCSF mapping from
`ctx`	No

Implementation Reference

src/tenzir_mcp/tools/coding/make_ocsf_mapping.py:15-68 (handler)

The complete implementation of the make_ocsf_mapping tool. This includes the @mcp.tool decorator for registration, inline schema definition for the 'sample' parameter, and the handler logic that loads a prompt template, appends the sample data, and returns a structured ToolResult for generating OCSF mappings.

@mcp.tool(
    name="make_ocsf_mapping",
    tags={"coding"},
    annotations={
        "title": "Add OCSF mapping to parser",
        "readOnlyHint": False,
        "idempotentHint": True,
        "openWorldHint": False,
    },
)
async def make_ocsf_mapping(
    sample: Annotated[
        str, Field(description="Sample log events to generate OCSF mapping from")
    ],
    ctx: Any = None,
) -> ToolResult:
    """Add OCSF mapping to a TQL parsing pipeline.

    Use this tool when:
    - You need to map security logs to the OCSF standard
    - You're normalizing data from multiple sources into a common schema
    - You want to make your data compatible with OCSF-aware tools
    - You need guidance on OCSF class selection and field mapping

    Follow the workflow instructions provided in the response."""
    try:
        # Read the instructions from prompts directory
        prompt_file = (
            Path(__file__).parent.parent.parent / "prompts" / "make_ocsf_mapping.md"
        )
        assert prompt_file.exists(), f"Prompt file must exist: {prompt_file}"
        prompt = prompt_file.read_text()

        content = prompt
        content += "\n\n"
        content += "# Sample Data\n\n"
        content += "```\n"
        content += sample
        content += "\n```\n"

        structured_content = {
            "workflow": prompt,
            "sample": sample,
        }

        return ToolResult(content=content, structured_content=structured_content)

    except Exception as e:
        error_msg = f"Failed to generate OCSF mapping: {e}"
        logger.error(error_msg)
        return ToolResult(
            content=f"Error: {error_msg}", structured_content={"error": error_msg}
        )

src/tenzir_mcp/tools/coding/make_ocsf_mapping.py:15-24 (registration)

The @mcp.tool decorator registers the make_ocsf_mapping tool with name, tags, and annotations.

@mcp.tool(
    name="make_ocsf_mapping",
    tags={"coding"},
    annotations={
        "title": "Add OCSF mapping to parser",
        "readOnlyHint": False,
        "idempotentHint": True,
        "openWorldHint": False,
    },
)

src/tenzir_mcp/tools/coding/make_ocsf_mapping.py:26-29 (schema)
Input schema defined using Annotated[str, Field(...)] for the 'sample' parameter.
```
sample: Annotated[
    str, Field(description="Sample log events to generate OCSF mapping from")
],
ctx: Any = None,
```

Tool Definition Quality

A4.4/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

The description adds valuable context beyond annotations: it explains the tool's purpose in mapping and normalizing data, mentions guidance on OCSF class selection, and references a workflow in the response. Annotations cover idempotency (idempotentHint: true) and mutability (readOnlyHint: false), but the description doesn't contradict them and enhances understanding of the tool's behavior.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured and front-loaded with the core purpose, followed by bullet-point guidelines and a workflow note. Every sentence earns its place by providing essential information without redundancy, making it efficient and easy to parse.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (mapping and normalization tasks), lack of output schema, and partial parameter coverage, the description is mostly complete. It covers purpose, usage, and behavioral context but falls short on parameter details. It adequately supports agent understanding but could be improved with parameter explanations.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 50% schema description coverage (only 'sample' parameter has a description, 'ctx' lacks one), the description does not compensate by explaining parameters. It mentions 'sample log events' indirectly but adds no details on format or usage. Baseline is 3 as the schema provides partial coverage, but the description fails to fill gaps.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the specific action ('Add OCSF mapping') and target resource ('to a TQL parsing pipeline'), distinguishing it from siblings like 'make_parser' (which creates parsers) or 'ocsf_get_class' (which retrieves OCSF class definitions). It precisely defines what the tool does without being tautological.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides explicit 'Use this tool when' guidelines with four specific scenarios, including when to use it (e.g., mapping security logs to OCSF standard, normalizing data) and implicitly when not to (e.g., for retrieving OCSF classes, which is covered by sibling tools like 'ocsf_get_class'). It offers clear context for selection.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/tenzir/mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server