OCSF Console IR is a terminal-first incident response manager designed for security analysts. It leverages the OCSF (Open Cybersecurity Schema Framework) standard to provide a unified platform for event ingestion, case management, and AI-assisted analysis.

• OCSF-native event ingestion
• Keyboard-first TUI for cases & events
• AI assisted Case Management
• Plugin-based enrichment via Redis Streams
• SQLite storage with FTS
• Pluggable LLM providers for summaries and copilot

brew install Ashfaaq98/tap/console-ir

curl -sSfL https://raw.githubusercontent.com/Ashfaaq98/ocsf-console-ir/main/scripts/install.sh | bash

docker run --rm -it ghcr.io/ashfaaq98/console-ir:latest --help

# Start the headless runtime with HTTP ingest on port 8080 and persistent data
docker run --rm -it -p 8080:8080 -v $(pwd)/data:/data ghcr.io/ashfaaq98/console-ir:latest

git clone https://github.com/Ashfaaq98/ocsf-console-ir.git
cd ocsf-console-ir
make build
./bin/console-ir serve

A quick tour of the TUI.

• Go ≥ 1.23
• Docker (optional, for Redis)
• Git

git clone https://github.com/Ashfaaq98/ocsf-console-ir.git
cd ocsf-console-ir

make build

./bin/console-ir serve

Or headless:

./bin/console-ir serve --no-tui

Run a JSONL file directly: ./bin/console-ir ingest <file> — see cmd/ingest.go.

Drop files into data/incoming; the folder watcher ingests new files automatically (see internal/ingest/folder.go).

Enable the optional HTTP endpoint to POST events into the pipeline (see internal/ingest/http_ingest.go).

Real-time OCSF inputs and adapters publish to Redis Streams for processing (see internal/ingest/live.go and internal/ingest/ocsf.go).

External plugins run as separate processes and consume/publish via Redis Streams. See docs/plugins.md.

By default external plugins are disabled; enable explicitly by creating an enable marker next to the executable (e.g., plugins/llm/llm.enabled) or start plugins manually.

Development is supported via .devcontainer/devcontainer.json and debug settings in .vscode/launch.json.

• Ensure Redis is reachable at the configured URL.
• If TUI fails, run with --no-tui or use a native terminal.
• Build issues: run go mod download and make build.
• Docker image runs the app in headless mode and enables HTTP ingest on 0.0.0.0:8080 by default.

• See the full contribution guide in CONTRIBUTING.md for workflow, coding standards, and local checks.
• Quick steps: fork the repo, create a branch, add tests, run make check, open a PR.

Do NOT commit API keys or secrets. Use the TUI or edit config/llm_settings.sample.json and keep config/llm_settings.json ignored. See SECURITY.md for disclosure guidance.

AGPLv3 - see LICENSE

• Issues: https://github.com/Ashfaaq98/ocsf-console-ir/issues
• Discussions: https://github.com/Ashfaaq98/ocsf-console-ir/discussions