What is OCSF?OCSF event classes OCSF source identification

Open Cybersecurity Schema Framework (OCSF)

What is OCSF?

The Open Cybersecurity Schema Framework (OCSF) is a collaborative, open-source effort by AWS and leading partners in the cybersecurity industry. OCSF provides a standard schema for common security events, defines versioning criteria to facilitate schema evolution, and includes a self-governance process for security log producers and consumers. The public source code for OCSF is hosted on GitHub.

Security Lake automatically converts logs and events that come from natively-supported AWS services to the OCSF schema. After conversion to OCSF, Security Lake stores the data in an Amazon Simple Storage Service (Amazon S3) bucket (one bucket per AWS Region) in your AWS account. Logs and events that are written to Security Lake from custom sources must adhere to the OCSF schema and an Apache Parquet format. Subscribers can treat the logs and events as generic Parquet records or apply the OCSF schema event class to more accurately interpret the information contained in a record.

OCSF event classes

Logs and events from a given Security Lake source match a specific event class defined in OCSF. DNS Activity, SSH Activity, and Authentication are examples of event classes in OCSF. You can specify which event class a particular source matches.

OCSF source identification

OCSF uses a variety of fields to help you determine where a specific set of logs or events originated. These are the values of the relevant fields for AWS services that are natively supported as sources in Security Lake.

The OCSF source identification for AWS log sources (Version 1) are listed in the following table.

Source	metadata.product.name	metadata.product.vendor_name	metadata.product.feature.name	class_name	metadata.version
CloudTrail Lambda Data Events	`CloudTrail`	`AWS`	`Data`	`API Activity`	`1.0.0-rc.2`
CloudTrail Management Events	`CloudTrail`	`AWS`	`Management`	`API Activity`, `Authentication`, or `Account Change`	`1.0.0-rc.2`
CloudTrail S3 Data Events	`CloudTrail`	`AWS`	`Data`	`API Activity`	`1.0.0-rc.2`
Route 53	`Route 53`	`AWS`	`Resolver Query Logs`	`DNS Activity`	`1.0.0-rc.2`
Security Hub	`Security Hub`	`AWS`	Matches Security Hub `ProductName` value	`Security Finding`	`1.0.0-rc.2`
VPC Flow Logs	`Amazon VPC`	`AWS`	`Flowlogs`	`Network Activity`	`1.0.0-rc.2`

The OCSF source identification for AWS log sources (Version 2) are listed in the following table.

Source	metadata.product.name	metadata.product.vendor_name	metadata.product.feature.name	class_name	metadata.version
CloudTrail Lambda Data Events	`CloudTrail`	`AWS`	`Data`	`API Activity`	`1.1.0`
CloudTrail Management Events	`CloudTrail`	`AWS`	`Management`	`API Activity`, `Authentication`, or `Account Change`	`1.1.0`
CloudTrail S3 Data Events	`CloudTrail`	`AWS`	`Data`	`API Activity`	`1.1.0`
Route 53	`Route 53`	`AWS`	`Resolver Query Logs`	`DNS Activity`	`1.1.0`
Security Hub	Matches AWS Security Finding Format (ASFF) `ProductName` value	Matches AWS Security Finding Format (ASFF) `CompanyName` value	Matches `featureName` value from ASFF `ProductFields`	`Vulnerability Finding, Compliance Finding, or Detection Finding`	`1.1.0`
VPC Flow Logs	`Amazon VPC`	`AWS`	`Flowlogs`	`Network Activity`	`1.1.0`
EKS Audit Logs	`Amazon EKS`	`AWS`	`Elastic Kubernetes Service`	`API Activity`	`1.1.0`
AWS WAFv2 Logs	`AWS WAF`	`AWS`	`—`	`HTTP Activity`	`1.1.0`

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Lifecycle management

Integrations