Open Cybersecurity Schema Framework (OCSF) in Security Lake - Amazon Security Lake

Open Cybersecurity Schema Framework (OCSF) in Security Lake

What is OCSF?

The Open Cybersecurity Schema Framework (OCSF) is a collaborative, open-source effort by AWS and leading partners in the cybersecurity industry. OCSF provides a standard schema for common security events, defines versioning criteria to facilitate schema evolution, and includes a self-governance process for security log producers and consumers. The public source code for OCSF is hosted on GitHub.

Security Lake automatically converts logs and events that come from natively-supported AWS services to the OCSF schema. After conversion to OCSF, Security Lake stores the data in an Amazon Simple Storage Service (Amazon S3) bucket (one bucket per AWS Region) in your AWS account. Logs and events that are written to Security Lake from custom sources must adhere to the OCSF schema and an Apache Parquet format. Subscribers can treat the logs and events as generic Parquet records or apply the OCSF schema event class to more accurately interpret the information contained in a record.

OCSF event classes

Logs and events from a given Security Lake source match a specific event class defined in OCSF. DNS Activity, SSH Activity, and Authentication are examples of event classes in OCSF. You can specify which event class a particular source matches.

OCSF source identification

OCSF uses a variety of fields to help you determine where a specific set of logs or events originated. These are the values of the relevant fields for AWS services that are natively supported as sources in Security Lake.

The OCSF source identification for AWS log sources (Version 1) are listed in the following table.

Source metadata.product.name metadata.product.vendor_name metadata.product.feature.name class_name metadata.version

CloudTrail Lambda Data Events

CloudTrail

AWS

Data

API Activity

1.0.0-rc.2

CloudTrail Management Events

CloudTrail

AWS

Management

API Activity, Authentication, or Account Change

1.0.0-rc.2

CloudTrail S3 Data Events

CloudTrail

AWS

Data

API Activity

1.0.0-rc.2

Route 53

Route 53

AWS

Resolver Query Logs

DNS Activity

1.0.0-rc.2

Security Hub

Security Hub

AWS

Matches Security Hub ProductName value

Security Finding

1.0.0-rc.2

VPC Flow Logs

Amazon VPC

AWS

Flowlogs

Network Activity

1.0.0-rc.2

The OCSF source identification for AWS log sources (Version 2) are listed in the following table.

Source metadata.product.name metadata.product.vendor_name metadata.product.feature.name class_name metadata.version

CloudTrail Lambda Data Events

CloudTrail

AWS

Data

API Activity

1.1.0

CloudTrail Management Events

CloudTrail

AWS

Management

API Activity, Authentication, or Account Change

1.1.0

CloudTrail S3 Data Events

CloudTrail

AWS

Data

API Activity

1.1.0

Route 53

Route 53

AWS

Resolver Query Logs

DNS Activity

1.1.0

Security Hub

Matches AWS Security Finding Format (ASFF) ProductName value

Matches AWS Security Finding Format (ASFF) CompanyName value

Matches featureName value from ASFF ProductFields

Vulnerability Finding, Compliance Finding, or Detection Finding

1.1.0

VPC Flow Logs

Amazon VPC

AWS

Flowlogs

Network Activity

1.1.0

EKS Audit Logs

Amazon EKS

AWS

Elastic Kubernetes Service

API Activity

1.1.0

AWS WAFv2 Logs

AWS WAF

AWS

HTTP Activity

1.1.0