de en es ja ko ru zh

Tenzir MCP Server

Official

by tenzir

Overview Schema Related Servers Score Discussions

Python

Local

List OCSF event classes

ocsf_get_classes

Read-onlyIdempotent

Retrieve OCSF event classes and descriptions for a specific schema version to identify suitable mappings for cybersecurity log data.

Instructions

Get all OCSF event classes and their descriptions for a specific schema version.

Use this tool to:

Browse available OCSF event classes before creating a mapping
Identify which class best matches your log data
Understand the purpose and scope of each event class

Once you identify a candidate class, use ocsf_get_class to see its complete schema with all fields and attributes.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`version`	Yes	OCSF schema version (e.g., '1.6.0')

Implementation Reference

src/tenzir_mcp/tools/ocsf/ocsf_get_classes.py:17-72 (handler)

The @mcp.tool decorated async handler function that loads the OCSF schema, extracts event classes with descriptions, formats as markdown and structured JSON, with comprehensive error handling.

@mcp.tool(
    name="ocsf_get_classes",
    tags={"ocsf"},
    annotations={
        "title": "List OCSF event classes",
        "readOnlyHint": True,
        "idempotentHint": True,
        "openWorldHint": False,
    },
)
async def ocsf_get_classes(
    version: Annotated[str, Field(description="OCSF schema version (e.g., '1.6.0')")],
) -> ToolResult:
    """Get all OCSF event classes and their descriptions for a specific schema version.

    Use this tool to:
    - Browse available OCSF event classes before creating a mapping
    - Identify which class best matches your log data
    - Understand the purpose and scope of each event class

    Once you identify a candidate class, use `ocsf_get_class` to see its
    complete schema with all fields and attributes."""
    try:
        schema = load_ocsf_schema(version)

        # Extract event classes from the schema
        event_classes = {}

        if "classes" in schema:
            for class_id, class_data in schema["classes"].items():
                class_name = class_data.get("name", class_id)
                description = class_data.get("description", "No description available")
                event_classes[class_name] = description

        # Format as markdown list
        markdown_lines = [f"## OCSF Event Classes (v{version})\n"]
        for name, desc in sorted(event_classes.items()):
            markdown_lines.append(f"- **{name}**: {desc}")

        return ToolResult(
            content="\n".join(markdown_lines),  # Markdown list
            structured_content={"classes": event_classes, "version": version},  # JSON
        )

    except FileNotFoundError:
        error_msg = f"OCSF schema version {version} not found"
        logger.error(error_msg)
        return ToolResult(content=error_msg, structured_content={"error": error_msg})
    except json.JSONDecodeError as e:
        error_msg = f"Failed to parse OCSF schema for version {version}: {e}"
        logger.error(error_msg)
        return ToolResult(content=error_msg, structured_content={"error": error_msg})
    except Exception as e:
        error_msg = f"Failed to get OCSF event classes for version {version}: {e}"
        logger.error(error_msg)
        return ToolResult(content=error_msg, structured_content={"error": error_msg})

src/tenzir_mcp/tools/ocsf/_helpers.py:12-30 (helper)

Helper utility to load and parse the OCSF schema JSON file for a given version from package resources.

def load_ocsf_schema(version: str) -> dict[str, Any]:
    """
    Load and parse an OCSF schema for the specified version.

    Args:
        version: The OCSF schema version to load

    Returns:
        Dictionary containing the parsed OCSF schema

    Raises:
        FileNotFoundError: If the schema version is not found
        json.JSONDecodeError: If the schema JSON is invalid
        Exception: For other loading errors
    """
    schema_text = files("tenzir_mcp.data.ocsf").joinpath(f"{version}.json").read_text()
    schema: dict[str, Any] = json.loads(schema_text)
    return schema

src/tenzir_mcp/tools/ocsf/__init__.py:4-4 (registration)
Imports the ocsf_get_classes tool function for exposure via the package __init__.
```
from .ocsf_get_classes import ocsf_get_classes
```
src/tenzir_mcp/tools/ocsf/ocsf_get_classes.py:28-29 (schema)
Input schema definition using Pydantic Annotated and Field for the version parameter.
```
    version: Annotated[str, Field(description="OCSF schema version (e.g., '1.6.0')")],
) -> ToolResult:
```

Tool Definition Quality

A4.4/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already declare readOnlyHint=true, openWorldHint=false, and idempotentHint=true, covering safety and behavior. The description adds valuable context by specifying that it retrieves 'all OCSF event classes and their descriptions', which clarifies the scope and output content beyond what annotations provide, though it doesn't detail format or pagination.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is front-loaded with the core purpose, followed by bulleted usage guidelines and a clear transition to alternatives. Every sentence adds value without redundancy, making it efficient and well-structured for quick comprehension.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's low complexity (1 parameter, no output schema) and rich annotations, the description is mostly complete. It covers purpose, usage, and alternatives well, but lacks details on output format (e.g., list structure, pagination), which could be helpful despite annotations. This minor gap prevents a perfect score.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, with the parameter 'version' fully documented in the schema. The description mentions 'for a specific schema version' but doesn't add syntax or format details beyond the schema's 'e.g., '1.6.0''. This meets the baseline for high schema coverage without extra parameter insights.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the specific action ('Get all OCSF event classes and their descriptions') and resource ('for a specific schema version'). It distinguishes from sibling tools by explicitly contrasting with 'ocsf_get_class' for detailed schemas, making the scope and differentiation clear.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides explicit guidance on when to use this tool ('Browse available OCSF event classes before creating a mapping', 'Identify which class best matches your log data', 'Understand the purpose and scope of each event class') and when to use an alternative ('Once you identify a candidate class, use `ocsf_get_class` to see its complete schema'). This covers both use cases and exclusions effectively.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/tenzir/mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server