de en es ja ko ru zh

Tenzir MCP Server

Official

by tenzir

Overview Schema Related Servers Score Discussions

Python

Local

Get OCSF object

ocsf_get_object

Read-onlyIdempotent

Retrieve complete OCSF object definitions to understand nested structures, view fields and types, and map source data correctly for cybersecurity event analysis.

Instructions

Get the complete definition of an OCSF object type including all fields and metadata.

Use this tool to:

Understand complex nested object structures in OCSF classes
See the fields and types within objects like 'file', 'process', 'user'
Map source data to nested OCSF structures correctly
Reference when constructing TQL operators for OCSF mapping

Objects are reusable components within OCSF event classes, defining standard structures like endpoints, files, processes, etc.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`version`	Yes	OCSF schema version (e.g., '1.3.0')
`name`	Yes	OCSF object name (e.g., 'email', 'file', 'process')

Implementation Reference

src/tenzir_mcp/tools/ocsf/ocsf_get_object.py:17-89 (handler)

The core handler function for the 'ocsf_get_object' tool. Decorated with @mcp.tool, it takes version and name parameters, loads the OCSF schema using load_ocsf_schema helper, searches for the object, and returns formatted markdown content and structured JSON data or error messages.

@mcp.tool(
    name="ocsf_get_object",
    tags={"ocsf"},
    annotations={
        "title": "Get OCSF object",
        "readOnlyHint": True,
        "idempotentHint": True,
        "openWorldHint": False,
    },
)
async def ocsf_get_object(
    version: Annotated[str, Field(description="OCSF schema version (e.g., '1.3.0')")],
    name: Annotated[
        str, Field(description="OCSF object name (e.g., 'email', 'file', 'process')")
    ],
) -> ToolResult:
    """Get the complete definition of an OCSF object type including all fields and metadata.

    Use this tool to:
    - Understand complex nested object structures in OCSF classes
    - See the fields and types within objects like 'file', 'process', 'user'
    - Map source data to nested OCSF structures correctly
    - Reference when constructing TQL operators for OCSF mapping

    Objects are reusable components within OCSF event classes, defining
    standard structures like endpoints, files, processes, etc."""
    try:
        schema = load_ocsf_schema(version)

        # Look for the object in the schema
        if "objects" not in schema:
            error_msg = f"No objects found in OCSF schema version {version}"
            return ToolResult(
                content=error_msg, structured_content={"error": error_msg}
            )

        # Search for object by name (case-insensitive)
        for object_id, object_data in schema["objects"].items():
            object_name = object_data.get("name", object_id)
            if object_name.lower() == name.lower() or object_id.lower() == name.lower():
                # Format as markdown
                description = object_data.get("description", "No description")
                schema_json = json.dumps(object_data, indent=2, sort_keys=True)
                markdown = (
                    f"# {object_name}\n\n"
                    f"**ID**: {object_id}\n\n"
                    f"**Description**: {description}\n\n"
                    "## Schema\n"
                    f"```json\n{schema_json}\n```"
                )

                result = {"id": object_id, "name": object_name, "data": object_data}
                return ToolResult(
                    content=markdown,  # Markdown summary
                    structured_content=result,  # Full JSON data
                )

        error_msg = f"Object '{name}' not found in OCSF schema version {version}"
        return ToolResult(content=error_msg, structured_content={"error": error_msg})

    except FileNotFoundError:
        error_msg = f"OCSF schema version {version} not found"
        logger.error(error_msg)
        return ToolResult(content=error_msg, structured_content={"error": error_msg})
    except json.JSONDecodeError as e:
        error_msg = f"Failed to parse OCSF schema for version {version}: {e}"
        logger.error(error_msg)
        return ToolResult(content=error_msg, structured_content={"error": error_msg})
    except Exception as e:
        error_msg = f"Failed to get OCSF object {name} for version {version}: {e}"
        logger.error(error_msg)
        return ToolResult(content=error_msg, structured_content={"error": error_msg})

src/tenzir_mcp/tools/ocsf/_helpers.py:12-30 (helper)

Helper function used by the ocsf_get_object tool to load and parse the OCSF schema JSON file for the given version from package resources.

def load_ocsf_schema(version: str) -> dict[str, Any]:
    """
    Load and parse an OCSF schema for the specified version.

    Args:
        version: The OCSF schema version to load

    Returns:
        Dictionary containing the parsed OCSF schema

    Raises:
        FileNotFoundError: If the schema version is not found
        json.JSONDecodeError: If the schema JSON is invalid
        Exception: For other loading errors
    """
    schema_text = files("tenzir_mcp.data.ocsf").joinpath(f"{version}.json").read_text()
    schema: dict[str, Any] = json.loads(schema_text)
    return schema

src/tenzir_mcp/tools/ocsf/__init__.py:6-6 (registration)
Import statement in the OCSF tools package __init__.py that exposes the ocsf_get_object tool function.
```
from .ocsf_get_object import ocsf_get_object
```

Tool Definition Quality

A4.4/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already indicate readOnlyHint=true, openWorldHint=false, and idempotentHint=true, covering safety and idempotency. The description adds valuable context beyond annotations by explaining that objects are 'reusable components within OCSF event classes' and provide 'standard structures like endpoints, files, processes', which helps the agent understand the tool's role in OCSF schema exploration. No contradictions with annotations are present.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is efficiently structured with a clear opening sentence followed by a bulleted list for usage scenarios and a concluding explanatory paragraph. Every sentence adds value without redundancy, making it easy to scan and understand the tool's purpose and applications quickly.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's moderate complexity (2 required parameters) and rich annotations (readOnlyHint, idempotentHint), the description is largely complete. It explains the tool's purpose, usage, and context within OCSF. However, without an output schema, it does not detail the return format (e.g., structure of the object definition), which is a minor gap. The annotations cover safety aspects well.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, with both parameters ('version' and 'name') well-documented in the schema. The description does not add specific syntax or format details beyond what the schema provides, such as examples for 'version' beyond '1.3.0' or constraints on 'name'. Baseline 3 is appropriate as the schema handles parameter documentation adequately.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose with specific verbs ('Get the complete definition') and resources ('OCSF object type'), distinguishing it from siblings like 'ocsf_get_class' (which retrieves classes rather than objects) and 'ocsf_get_classes' (which lists classes). It explicitly mentions what the tool provides: 'all fields and metadata' for object types such as 'file', 'process', and 'user'.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides explicit guidance on when to use this tool through a bulleted list: 'Understand complex nested object structures', 'See the fields and types within objects', 'Map source data to nested OCSF structures', and 'Reference when constructing TQL operators'. It implicitly distinguishes from alternatives like 'ocsf_get_class' by focusing on objects rather than classes, though it does not explicitly name when not to use it.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/tenzir/mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server