OCSF
The Open Cybersecurity Schema Framework (OCSF) is an open standard for security event data that provides a vendor-agnostic way to normalize security logs across different sources. OCSF provides standardization for security-focused log data, enabling seamless integration with AWS Security Lake and other security analytics platforms.
OCSF organizes security events into classes, each representing a specific type of security activity. When using field_format: "ocsf", VirtualMetric automatically transforms your security data into OCSF-compliant format based on the event type.
Available OCSF Schema Classes
System Activity (1000-1999)
OCSF1001- File ActivityOCSF1002- Kernel Extension ActivityOCSF1003- Kernel ActivityOCSF1004- Memory ActivityOCSF1005- Module ActivityOCSF1006- Scheduled Job ActivityOCSF1007- Process Activity
Findings (2000-2999)
OCSF2001- Security FindingOCSF2002- Vulnerability FindingOCSF2003- Compliance FindingOCSF2004- Detection Finding
Identity & Access Management (3000-3999)
OCSF3001- Account ChangeOCSF3002- AuthenticationOCSF3003- Authorize SessionOCSF3004- Entity ManagementOCSF3005- User Access ManagementOCSF3006- Group Management
Network Activity (4000-4999)
OCSF4001- Network ActivityOCSF4002- HTTP ActivityOCSF4003- DNS ActivityOCSF4004- DHCP ActivityOCSF4005- RDP ActivityOCSF4006- SMB ActivityOCSF4007- SSH ActivityOCSF4008- FTP ActivityOCSF4009- Email ActivityOCSF4010- Network File ActivityOCSF4011- Email File ActivityOCSF4012- Email URL ActivityOCSF4013- NTP ActivityOCSF4014- Tunnel Activity
Discovery (5000-5999)
OCSF5001- Device Inventory InfoOCSF5002- Device Config StateOCSF5003- User Inventory InfoOCSF5004- Operating System Patch State
Application Activity (6000-6999)
OCSF6001- Web Resources ActivityOCSF6002- Application LifecycleOCSF6003- API ActivityOCSF6004- Web Resource Access ActivityOCSF6005- Datastore ActivityOCSF6006- File Hosting Activity
Usage
To enable OCSF normalization, specify the field format in your target configuration:
targets:
- name: my_target
type: awssecuritylake
properties:
field_format: "ocsf"
When using the VirtualMetric AWS Security Lake Pack, OCSF normalization is handled automatically through the aws_lake pipeline. The pack intelligently routes events to the appropriate OCSF schema class based on the source data type and vendor.
Integration with AWS Security Lake
OCSF is the native schema format for AWS Security Lake. When sending data to AWS Security Lake, you must:
- Enable OCSF field formatting (handled automatically by the
aws_lakepipeline) - Specify the appropriate OCSF schema identifier for each bucket
- Ensure data is in Parquet format (handled automatically by the
awssecuritylaketarget)
VirtualMetric AWS Security Lake Pack
The VirtualMetric AWS Security Lake Pack provides comprehensive OCSF normalization for diverse security data sources:
- Syslog messages (native, CEF, LEEF formats) are automatically converted to OCSF
- Windows Security Events are transformed from ECS through ASIM to OCSF
- Firewall logs from major vendors (Fortinet, Palo Alto Networks, Check Point, Cisco ASA, SonicWall, WatchGuard, Cisco Meraki) are normalized to OCSF
- Windows DNS logs are converted to OCSF DNS Activity format
The pack handles multi-stage transformations, preserving vendor-specific context while ensuring OCSF compliance for AWS Security Lake ingestion.
Example Configuration
targets:
- name: security_lake
type: awssecuritylake
pipelines:
- aws_lake
properties:
key: "AKIAIOSFODNN7EXAMPLE"
secret: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
region: "us-east-1"
source: "virtualmetric"
account: "123456789012"
buckets:
- bucket: "aws-security-data-lake-network"
name: "network-{{.Timestamp}}.parquet"
schema: "OCSF4001"
- bucket: "aws-security-data-lake-auth"
name: "auth-{{.Timestamp}}.parquet"
schema: "OCSF3002"
- bucket: "aws-security-data-lake-dns"
name: "dns-{{.Timestamp}}.parquet"
schema: "OCSF4003"
In this example, the aws_lake pipeline automatically normalizes all events to OCSF format, and the target routes them to the appropriate buckets based on their schema class.