Open Cybersecurity Schema Framework (OCSF) in Security Lake
What is OCSF?
The Open Cybersecurity Schema Framework (OCSF)
Security Lake automatically converts logs and events that come from natively-supported AWS services to the OCSF schema. After conversion to OCSF, Security Lake stores the data in an Amazon Simple Storage Service (Amazon S3) bucket (one bucket per AWS Region) in your AWS account. Logs and events that are written to Security Lake from custom sources must adhere to the OCSF schema and an Apache Parquet format. Subscribers can treat the logs and events as generic Parquet records or apply the OCSF schema event class to more accurately interpret the information contained in a record.
OCSF event classes
Logs and events from a given Security Lake source match a specific event class defined in OCSF. DNS Activity, SSH Activity, and
Authentication are examples of event classes in OCSF
OCSF source identification
OCSF uses a variety of fields to help you determine where a specific set of logs or events originated. These are the values of the relevant fields for AWS services that are natively supported as sources in Security Lake.
The OCSF source identification for AWS log sources (Version 1) are listed in the following table.
Source | metadata.product.name | metadata.product.vendor_name | metadata.product.feature.name | class_name | metadata.version |
---|---|---|---|---|---|
CloudTrail Lambda Data Events |
|
|
|
|
|
CloudTrail Management Events |
|
|
|
|
|
CloudTrail S3 Data Events |
|
|
|
|
|
Route 53 |
|
|
|
|
|
Security Hub |
|
|
Matches Security Hub |
|
|
VPC Flow Logs |
|
|
|
|
|
The OCSF source identification for AWS log sources (Version 2) are listed in the following table.
Source | metadata.product.name | metadata.product.vendor_name | metadata.product.feature.name | class_name | metadata.version |
---|---|---|---|---|---|
CloudTrail Lambda Data Events |
|
|
|
|
|
CloudTrail Management Events |
|
|
|
|
|
CloudTrail S3 Data Events |
|
|
|
|
|
Route 53 |
|
|
|
|
|
Security Hub |
Matches AWS Security Finding Format (ASFF) |
Matches AWS Security Finding Format (ASFF) |
Matches |
|
|
VPC Flow Logs |
|
|
|
|
|
EKS Audit Logs |
|
|
|
|
|
AWS WAFv2 Logs |
|
|
|
|
|