🚀 Features
Section titled “🚀 Features”ArcSight CEF skill
Section titled “ArcSight CEF skill”Jun 10, 2026 · @mavam, @claude · #23
Added tenzir-cef, a generated ArcSight CEF (Common Event Format) reference skill for generating, parsing, and mapping CEF events, bundled with the ArcSight ESM event schema behind the format.
The skill exposes all 174 predefined extension keys from the OpenText extension dictionary as YAML — exact key spelling, expanded full name, data type, length, producer/consumer audience, and the CEF specification version that introduced each key — alongside the full ESM event schema: 479 data fields across 18 groups with labels, script aliases, types, and turbo levels. Extension keys whose full name resolves to an ESM script alias are crosswalked to their schema groups. Markdown guidance covers the CEF header, severity, character escaping, special mappings, user-defined extensions, and date formats. Upstream quirks, such as the duplicated dmac row and mid-word line-wrap artifacts in key names, are normalized and documented in the source notes.
IBM QRadar LEEF skill
Section titled “IBM QRadar LEEF skill”Jun 10, 2026 · @mavam, @claude · #20
Added tenzir-leef, a generated IBM QRadar LEEF (Log Event Extended Format) reference skill for generating, parsing, and mapping LEEF 2.0 events.
The skill exposes all 45 predefined event attributes as YAML — exact key spelling, value type, normalization behavior, attribute limits, and reserved status — plus Markdown guidance for the syslog and LEEF headers, delimiter rules, custom event keys, and devTime/devTimeFormat timestamp patterns. Spec quirks published by IBM, such as the identSecondlp typo, are preserved verbatim and annotated.
FortiSIEM Event Data Model skill
Section titled “FortiSIEM Event Data Model skill”Jun 10, 2026 · @mavam, @claude · #21
Added tenzir-edm, a generated FortiSIEM Event Data Model reference skill for mapping events into Fortinet’s normalized event attributes.
The skill covers all 21 data models of the FortiSIEM 7.5.0 Event Data Model documentation, exposing event attributes with types, display names, descriptions, and cross-model usage as YAML, plus Markdown copies of the upstream Fortinet pages for audit.
Elastic Common Schema skill
Section titled “Elastic Common Schema skill”Added tenzir-ecs, a generated Elastic Common Schema reference skill for mapping logs and security telemetry into ECS.
The skill exposes ECS fields, fieldsets, categorization values, field reuse metadata, and ECS/OpenTelemetry relations as YAML, with curated upstream Markdown guidance for categorization, network mapping, custom fields, cloud and service context, threat indicators, and user modeling.
Splunk CIM skill
Section titled “Splunk CIM skill”Jun 6, 2026 · @mavam, @codex · #15
Added tenzir-cim, a generated Splunk Common Information Model reference skill for mapping security telemetry to CIM.
The generator takes an unpacked Splunk_SA_CIM app directory as input and emits agent-native YAML catalogs for CIM data models, datasets, effective fields, constraints, calculated fields, and lookup-backed values, translations, and enrichments. The generated skill also bundles core Splunk CIM 8.5 documentation as reference-only prose while keeping the app-derived YAML authoritative.
Microsoft Sentinel ASIM skill
Section titled “Microsoft Sentinel ASIM skill”Jun 4, 2026 · @mavam, @codex · #11, #17
Added tenzir-asim, a Microsoft Sentinel ASIM reference skill for mapping security telemetry to ASIM.
The generated reference currently covers 12 event schemas, 1 entity schema, 539 distinct fields, 1,426 schema field records, and 73 alias records from Microsoft Defender Docs. It now emits agent-native YAML catalogs, schema files, field files, alias data, and guidance data so agents can choose target ASIM schemas and map source telemetry with less context-window overhead.
🔧 Changes
Section titled “🔧 Changes”Multi-tool design system skill with machine-readable tokens
Section titled “Multi-tool design system skill with machine-readable tokens”Jun 10, 2026 · @mavam, @claude · #22
The tenzir-design-system skill is now the canonical home of the Tenzir design system and supports many consumers beyond Platform CSS: plain CSS, Tailwind, Quarto documents, slide decks, and Mermaid/Graphviz diagrams.
Token values now live in machine-readable YAML: data/brand.yml follows Quarto’s brand.yml schema and can be consumed directly via brand: data/brand.yml, while data/tokens.yml carries the extended tokens (spacing, radius, type scale, shadows, motion, z-index, breakpoints, and a dark-mode mapping). Markdown references explain how to choose tokens; per-tool guides under references/tools/ provide ready-to-use CSS custom properties, Tailwind v4/v3 configuration, a shadcn/ui theme, and diagram/slide styling.
Tenzir UDM skill name
Section titled “Tenzir UDM skill name”Jun 7, 2026 · @mavam, @codex · #18
The Google UDM skill is now installed and referenced as tenzir-udm.
Use the new skill name when installing it directly:
npx skills add tenzir/skills@tenzir-udmGoogle UDM record YAML reference
Section titled “Google UDM record YAML reference”Jun 7, 2026 · @mavam, @codex · #16
The Google UDM skill now exposes record definitions as YAML leaves rather than Markdown message pages. Record YAML uses data-centric type shapes such as list<T>, optional<T>, map<K, V>, variant, and field unions, making event and entity fields easier for agents to scan when mapping logs into UDM.
Google UDM entity ingestion guidance
Section titled “Google UDM entity ingestion guidance”Jun 6, 2026 · @mavam, @codex · #14
The Google UDM skill now clarifies that Entity Type Guidance values such as USER or ASSET belong to the Entity object’s metadata.entity_type / metadata.entityType, while entities.import uses a separate inlineSource.logType for the context source, such as AZURE_AD_CONTEXT.