Skip to content

Open Cybersecurity Schema Framework

Open Cybersecurity Schema Framework

About

The Open Cybersecurity Schema Framework (OCSF) is a collaborative, open-source effort by AWS and leading partners in the cybersecurity industry. OCSF provides a standard schema for common security events, defines versioning criteria to facilitate schema evolution, and includes a self-governance process for security log producers and consumers.

Product Details

Vendor URL: OCSF

Product Type: AWS

Product Tier: Tier II

Integration Method: Custom

Log Guide: OCSF Log Guide

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: OCSF

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
actor.process.user.full_name principal.user.user_display_name
actor.session.issuer security_result.about.user.userid
actor.user.domain target.administrative_domain
actor.user.email_addr principal.user.email_addresses
actor.user.groups.0.uid principal.user.group_identifiers
actor.user.name principal.user.userid
actor.user.org.name principal.user.company_name
actor.user.org.ou_name principal.user.department
actor.user.type principal.resource.type
actor.user.uuid principal.user.userid
additionalEventData.AuthenticationMethod extensions.auth.auth_details
additionalEventData.bytesTransferredIn network.received_bytes
additionalEventData.bytesTransferredOut network.sent_bytes
api.operation metadata.product_event_type
api.response.code network.http.response_code
api.response.code network.http.response_code
api.response.message metadata.description
api.service.name target.application
category_uid - category_name security_result.category_details
certificate.issuer network.tls.client.certificate.issuer
certificate.serial_number network.tls.client.certificate.serial
class_name metadata.log_type
cloud.account_uid principal.group.product_object_id
cloud.org.name about.resource.name
cloud.org.uid about.resource.product_object_id
cloud.project_uid principal.resource.product_object_id
cloud.provider principal.asset.attribute.cloud.environment
cloud.region principal.location.name
cloud.zone about.resource.attribute.cloud.availability_zone
confidence security_result.confidence
confidence_score security_result.confidence_details
cve.cvss.base_score extensions.vulns.vulnerabilities.cvss_base_score
cve.cvss.vector_string extensions.vulns.vulnerabilities.cvss_vector
cve.cvss.version extensions.vulns.vulnerabilities.cvss_version
cve.product.name extensions.vulns.vulnerabilities.about.application
cve.product.uid extensions.vulns.vulnerabilities.about.asset_id
dst_endpoint_ip target.ip
finding.desc security_result.description
finding.product_uid principal.asset_id
finding.src_url security_result.url_back_to_product
http_request.url.port target.port
http_request.user_agent network.http.user_agent
logon_process.user.domain principal.administrative_domain
mal.name security_result.threat_name
mal.uid security_result.threat_id
metadata.product.feature.name security_result.category_details
metadata.product.name metadata.product_name
metadata.product.vendor_name metadata.vendor_name
metadata.product.version metadata.product_version
metadata.uid metadata.product_log_id
process.parent_process.user.group.0.name principal.group.group_display_name
process.parent_process.user.group.0.uid principal.user.group_identifiers
process.user.domain principal.administrative_domain
process.user.group.0.name principal.group.group_display_name
process.user.group.0.uid principal.user.group_identifiers
process.user.org.name principal.user.company_name
process.user.uid principal.user.product_object_id
recipientAccountId principal.group.product_object_id
resource.name target.resource.name
resource.region target.location.name
resource.type target.resource.resource_subtype
session.uid network.session_id
severity_id security_result.severity
src_endpoint.ip principal.ip
status security_result.action_details
tls.certificate.fingerprint network.tls.client.certificate.md5
tls.certificate.fingerprint network.tls.client.certificate.sha1
tls.certificate.fingerprint network.tls.client.certificate.sha256
tls.certificate.subject network.tls.client.certificate.subject
tls.certificate.version network.tls.client.certificate.version
tls.sni network.tls.client.server_name
tls.version network.tls.version_protocol
tlsDetails.cipherSuite network.tls.cipher
tlsDetails.clientProvidedHostHeader target.hostname
tlsDetails.tlsVersion network.tls.version_protocol
type_name metadata.product_event_type
user.name target.user.userid
userIdentity.sessionContext.sessionIssuer.accountId principal.user.group_identifiers
userIdentity.sessionContext.sessionIssuer.userName principal.user.user_display_name

Product Event Types

Event UDM Event Classification
Audit Activity GENERIC_EVENT
Authentication USER_LOGIN
Authentication USER_LOGOUT
Authentication USER_UNCATEGORIZED
Authorize Session USER_CHANGE_PERMISSIONS
Authorize Session GROUP_MODIFICATION
Authorize Session USER_UNCATEGORIZED
FTP Activity NETWORK_FTP
HTTP Activity NETWORK_HTTP
Network Activity NETWORK_UNCATEGORIZED
Network Activity NETWORK_CONNECTION
Network File Activity FILE_DELETION
Process Activity PROCESS_LAUNCH
Process Activity PROCESS_TERMINATION
Process Activity PROCESS_OPEN
Process Activity PROCESS_INJECTION
Process Activity PROCESS_UNCATEGORIZED
Security Finding FILE_MODIFICATION
Security Finding FILE_OPEN
Security Finding FILE_UNCATEGORIZED

Log Sample

{"Metadata":{"Product":{"Version":"1.08","Name":"CloudTrail","Vendor_name":"AWS","Feature":{"Name":"Management"}},"Uid":"123456-2345-2345-2345-23456789","Profiles":{"Array":["cloud"]},"Version":"1.0.0-rc.2"},"Time":1709738455000,"Cloud":{"Region":"us-east-1","Provider":"AWS"},"Api":{"Response":null,"Operation":"DescribeAccountAttributes","Version":null,"Service":{"Name":"rds.amazonaws.com"},"Request":{"Uid":"12345-1234-1234-1234-123456789"}},"Dst_endpoint":null,"Actor":{"User":{"Type":"AssumedRole","Name":null,"Uid":"ABCDEFGHIJKLMNOP:LMAssumeRoleSession","Uuid":"arn:aws:sts::123456789:assumed-role/LogicMonitorAccessRole/LMAssumeRoleSession","Account_uid":"123456789","Credential_uid":"ABCDEFGHIJKLM"},"Session":{"Created_time":1709735648000,"Mfa":false,"Issuer":"arn:aws:iam::123456789:role/LogicMonitorAccessRole"},"Invoked_by":null,"Idp":null},"Http_request":{"User_agent":"aws-sdk-java/2.22.10 Linux/user_agent_example"},"Src_endpoint":{"Uid":null,"Ip":"10.10.0.0","Domain":null},"Resources":null,"Class_name":"API Activity","Class_uid":3000,"Category_name":"Audit Activity","Category_uid":3,"Severity_id":1,"Severity":"Informational","User":null,"Activity_name":"Read","Activity_id":2,"Type_uid":300000,"Type_name":"API Activity: Read","Status":"Success","Status_id":1,"Mfa":null,"Unmapped":{"Map":[{"Key":"userIdentity.sessionContext.sessionIssuer.type","Value":"Role"},{"Key":"tlsDetails.clientProvidedHostHeader","Value":"us-east-1.amazonaws.com"},{"Key":"userIdentity.sessionContext.sessionIssuer.userName","Value":"LogicMonitorAccessRole"},{"Key":"userIdentity.sessionContext.sessionIssuer.principalId","Value":"ABCDEFGHIJKLMNOP"},{"Key":"recipientAccountId","Value":"123456789"},{"Key":"readOnly","Value":"true"},{"Key":"tlsDetails.tlsVersion","Value":"TLSv1.3"},{"Key":"eventType","Value":"AwsApiCall"},{"Key":"managementEvent","Value":"true"},{"Key":"userIdentity.sessionContext.sessionIssuer.accountId","Value":"123456789"},{"Key":"tlsDetails.cipherSuite","Value":"TLS_ABC_123_ABC_SHA256"}]}}

Sample Parsing

additional.fields["accessKeyId"] = "ABCDEFGHIJKLM"
additional.fields["Event Type"] = "AwsApiCall"
additional.fields["managementEvent"] = "true"
metadata.description = "AwsApiCall"
metadata.product_event_type = "DescribeAccountAttributes"
metadata.product_log_id = "123456-2345-2345-2345-23456789"
metadata.product_name = "CloudTrail"
metadata.product_version = "1.08"
metadata.vendor_name = "AWS"
network.http.parsed_user_agent.family = "USER_DEFINED"
network.http.user_agent = "aws-sdk-java/2.22.10 Linux/user_agent_example"
network.tls.cipher = "TLS_ABC_123_ABC_SHA256"
network.tls.version_protocol = "TLSv1.3"
principal.asset.attribute.cloud.environment = "AMAZON_WEB_SERVICES"
principal.group.product_object_id = "123456789"
principal.ip = "10.10.0.0"
principal.location.name = "us-east-1"
principal.namespace = "CloudTrail"
principal.resource.type = "AssumedRole"
principal.user.attribute.labels.key = "readOnly"
principal.user.attribute.labels.value = "true"
principal.user.attribute.labels.key = "ARN"
principal.user.attribute.labels.value = "arn:aws:sts::123456789:assumed-role/LogicMonitorAccessRole/LMAssumeRoleSession"
principal.user.group_identifiers = "123456789"
principal.user.product_object_id = "ABCDEFGHIJKLMNOP:LMAssumeRoleSession"
principal.user.user_display_name = "LogicMonitorAccessRole"
principal.user.userid = "arn:aws:sts::123456789:assumed-role/LogicMonitorAccessRole/LMAssumeRoleSession"
security_result.about.namespace = "CloudTrail"
security_result.about.user.userid = "arn:aws:iam::123456789:role/LogicMonitorAccessRole"
security_result.action_details = "Success"
security_result.action = "ALLOW"
security_result.category_details = "3 - Audit Activity"
security_result.category_details = "Management"
security_result.detection_fields.key = "class_uid"
security_result.detection_fields.value = "3000"
security_result.detection_fields.key = "type_name"
security_result.detection_fields.value = "API Activity: Read"
security_result.detection_fields.key = "type_uid"
security_result.detection_fields.value = "300000"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "Informational"
target.application = "rds.amazonaws.com"
target.hostname = "us-east-1.amazonaws.com"
target.namespace = "CloudTrail"
target.resource.attribute.labels.key = "Recipient Account Id"
target.resource.attribute.labels.value = "123456789"