Open Cybersecurity Schema Framework - AWS AppFabric

Open Cybersecurity Schema Framework

The Open Cybersecurity Schema Framework (OCSF) is a collaborative, open-source effort by AWS and leading partners in the cybersecurity industry. OCSF provides a standard schema for common security events, defines versioning criteria to facilitate schema evolution, and includes a self-governance process for security log producers and consumers. The public source code for OCSF is hosted on GitHub.

OCSF-based schema in AppFabric

The AWS AppFabric for security OCSF 1.0.0-rc.3 based schema is tailored specifically to address your needs for normalized, consistent, low-effort observability of their software as a service (SaaS) portfolio. AppFabric, in collaboration with the OCSF open source community, introduced new OCSF event categories, event classes, activities, and objects so that OCSF is applicable to SaaS application events. AppFabric automatically normalizes audit events that it receives from SaaS applications and delivers this data to the Amazon Simple Storage Service (Amazon S3) or Amazon Data Firehose services in your AWS account. For an Amazon S3 destination, you can choose between two normalization options (OCSF or Raw) and two data format options (JSON or Parquet). When delivering to Firehose, you can also choose between two normalization options (OCSF or Raw) but the data format is limited to JSON.

OCSF event categories and classes

AppFabric uses the following two OCSF event categories:

  • Identity and Access Management – AppFabric for security uses the following event classes within this category:

    • Account Change

    • Authentication

    • User Access Management

    • Group Management

  • Application Activity – AppFabric for security uses the following event classes within this category:

    • Web Resources Activity

    • Web Resource Access Activity