OCSF + Amazon Security Lake: A New Schema to Solve Long-Standing Challenges

With OCSF, a vendor-agnostic core security schema is now available, enabling a common approach to data sharing among different tools.

OCSF + Amazon Security Lake: A New Schema to Solve Long-Standing Challenges


The Open Cybersecurity Schema Framework (OCSF) is an open-source project that addresses the long-standing challenge of sharing data across various security tools.

Traditionally, the security space has been fragmented due to interoperability issues and data normalization challenges.

This has posed a significant hurdle for organizations using multiple security applications, requiring constant integration and maintenance efforts. However, with OCSF, a vendor-agnostic core security schema is now available, enabling a common approach to data sharing among different tools.

OCSF + Amazon Security Lake: A Secure Story

OCSF began as a collaboration between Splunk, AWS and Symantec (Broadcom) and was launched in Black Hat 2022.

By November 2022, AWS introduced Amazon Security Lake, a powerful data lake designed to simplify complexity and reduce costs associated with security-related data management. By aggregating logs, running correlations, and enabling query capabilities across massive security log sources, Amazon Security Lake enhances threat detection, investigation, and incident response.

While efforts to establish open and interoperable standards existed previously, such as Structured Threat Information eXpression (STIX), MITRE ATT&CK framework, and Trusted Automated eXchange of Intelligence Information (TAXII), OCSF has gained rapid traction due to its focus on events representing activities on computer systems, networks, and cloud platforms with security implications. It complements STIX, which primarily focuses on threat intelligence, campaigns, and actors.

OCSF has quickly garnered significant adoption, and one compelling use case is its integration with AWS Security Lake. This combination has the potential to become a popular approach for storing telemetry data, making integration with other security applications seamless.

Leveraging the AWS ecosystem, the world's largest cloud company, OCSF and AWS Security Lake offer customers enhanced visibility and compatibility with a growing list of integrated security applications.

Integration Overview: OCSF and Amazon Security Lake

AWS Security Lake is architected to ingest data from multiple sources, and OCSF adoption amplifies its appeal. With Amazon Security Lake, events are stored in compressed format (Parquet) in Amazon S3 buckets, optimizing data storage and retrieval efficiency.

There are two primary integration options available - Subscriber integrations and Source integrations.

Subscriber integrations

In this approach, data from Amazon Security Lake is ingested into your platform. Since all logs within Amazon Security Lake adhere to the OCSF format, you gain access to data from multiple sources with a well-defined schema.

Source integrations

This integration involves exporting data/events from your platform into Amazon Security Lake. By conforming to the OCSF schema, your customers benefit from standardized and well-defined event data.

Mapping your events correctly to the OCSF schema is crucial for maximizing the value derived from the integration, and the expertise of Metron can assist in suggesting the appropriate OCSF mapping for your event types.

Source: AWS Security Lake

Applications: Amazon Security Lake Integrations

The integration of Amazon Security Lake with various security platforms has opened up new possibilities for customers. Here are a few examples:

XDR Integration: The XDR integration with Amazon Security Lake simplifies the ingestion of security data into the XDR platform. This integration is available through the XDR Marketplace, enabling the export of XDR events into Amazon Security Lake.

Okta Integration: Okta sends identity logs in the OCSF schema to Security Lake via an Amazon EventBridge integration. This integration allows security and data scientist teams to query security events using an open-source standard. Standardized OCSF logs from Okta enable audit activities and generate reports related to authentication, authorization, account changes, and entity changes using a consistent schema.


The combination of OCSF and Amazon Security Lake represents a paradigm shift in the world of security integrations and automation. However, the success of these efforts depends on widespread adoption among security vendors.

Thus far, the OCSF ecosystem has witnessed remarkable growth, with several security platforms enabling seamless integration with AWS Security Lake. As such, the OCSF ecosystem is growing and companies seem to be adapting to a variety of approaches. A few examples below on how other security platforms are enabling the AWS Security Lake.

Enabling direct data transmission:

Aqua Security, Claroty, Confluent, Darktrace, ExtraHop, Gigamon, Sentra, Torq, Trellix, Uptycs.

Integration for data ingestion:

ChaosSearch, New Relic, Ripjar, SOC Prime, Stellar Cyber, Swimlane, Tines, Torq, Wazuh.

3rd Party security, automation, and analytics tools:

Datadog, IBM, Rapid7, SentinelOne, Splunk, Sumo Logic, Trellix.

Third-party sources providing OCSF security data:

Barracuda, Cisco, Cribl, CrowdStrike, CyberArk, Lacework, Laminar, NETSCOUT, Netskope, Okta, Orca, Palo Alto Networks, Ping Identity, Tanium, The Falco Project, Trend Micro, Vectra AI, VMware, Wiz, Zscaler.

In the realm of security, collaboration is crucial.

About Metron:

Metron is a trusted provider of on-demand and effective approaches to managing third-party integrations for security ecosystems. With extensive experience in delivering automation solutions for over 200 security applications, including Amazon Security Lake and OCSF parsers/connectors, Metron has earned the trust of numerous fast-growing security companies and managed security service providers (MSSPs).

Metron’s transparent development processes, deep understanding of security products, and fixed-cost model have resulted in shorter development times and significant cost savings for clients compared to deploying internal engineering teams for similar tasks. Headquartered in Novato, CA, with development offices in Bangalore and Pune, India.

Connect with Metron at