OCSF Goes Into High Gear with Amazon Security Lake Launch and New OCSF Release Candidate

Buckle up, security community! OCSF is on a roll. In my last blog, I reported on the accelerating momentum of the Open Cybersecurity Schema Framework (OCSF), an open source project that delivers a common vendor-agnostic taxonomy to help security teams save time and effort on normalizing disparately formatted data. Today, I am excited to discuss two new major OCSF developments. 

Amazon Security Lake and Splunk Add-On for AWS Become Generally Available

First, Amazon Security Lake — announced for public preview at AWS re:Invent in November of 2022 — is now generally available. Amazon Security Lake uses OCSF as the data schema and Parquet as the storage format to centralize security data from 80 sources, including Amazon VPC, AWS CloudTrail, Amazon Route 53, Amazon S3, AWS Lambda and other AWS and third-party solutions. 

As a proud AWS Amazon Security Lake launch partner and fellow member of the OCSF Steering Committee, Splunk is excited to announce general availability of the Splunk Add-On for AWS v.7.0 that brings support for Amazon Security Lake and enables the ingestion of all Amazon Security Lake data into the Splunk platform for in-depth analysis. Splunk Enterprise Security can also readily use Amazon Security Lake data to perform streaming analytics for real-time detection of suspicious behaviors that may indicate insider threats, credential compromise, lateral movement and living-off-the-land attacks.

To see Amazon Security Lake and Splunk in joint OCSF action, visit the Splunk booth #128 and attend our session at AWS re:Inforce in Anaheim, CA.

If you are ready to get started with Splunk and Amazon Security Lake, I invite you to take the Splunk Add-On for AWS for a ride.  And let the installation instructions and release notes be your co-pilots.

OCSF Release Candidate 3 Launches for Public Review

The OCSF open consortium has been hard at work, and we are happy to announce Release Candidate 3 (RC3), which is the version of the schema that will become the 1.0 generally available (GA) release after a short review period to give industry and members time to prepare their products for that release. Additions to the schema on the 1.x train will include new classes, objects and categories — all backwards compatible with RC3 and 1.0 GA.

A few important changes have been made over the last few weeks leading up to RC3, including a new Identity and Access Management category, replacing the Access Control category, with new and updated classes that better model real events across major cloud platforms and desktop operating systems. Operating system-specific extensions for Linux and Windows were added to the schema, schema browser and API server (found here). The schema browser has been enhanced with links to MITRE D3FEND for object references, an associative graph to show the relationships among objects of a given event class, as well as details and cross-references for profiles, similar to cross-references for attributes and objects.

A question that I frequently get from OCSF members and others is how to choose the right event class for program or service events. For a detailed answer, check out the “How do I create a typical OCSF event?” section in the OCSF-docs repository’s Schema FAQ. In brief, you should first select the OCSF Category that best fits your event, e.g., the Identity and Access Management category, then select the class that best describes the type of event. Every OCSF event has an activity_id enumeration, which is a more specific activity type for that event class. From there, browse and select a profile or combination thereof that can be applied to that class, for example Security Controls or Cloud. The profiles augment the standard classes with more specific context.  

And if you can’t find the right event class, you can always extend the schema using the framework mechanisms. Check out the instructions here. Or better yet, join us and contribute to the core OCSF schema!  Interested? Let me know at

The OCSF Release Candidate 3 is available for public review here. I invite you to check it out and provide your feedback via GitHub or Slack OCSF member workspace (if you are not part of it yet, please request to join via

Paul Agbabian
Posted by

Paul Agbabian

Paul is responsible for technology strategy and architecture for the Security business unit at Splunk. Prior to joining Splunk, Paul was a Broadcom Fellow and the Global CTO and Chief Architect of the Symantec Enterprise Security Business Unit.

Show All Tags
Show Less Tags