Splunk Integrates with Amazon Security Lake to Deliver Analytics Using the Open Cybersecurity Schema Framework

It’s been an exciting few months behind the scenes since the Open Cybersecurity Schema Framework (OCSF) project was made public and announced at Black Hat in August. From the original 18-company coalition that helped define the initial OCSF release, the project now has over 200 individual collaborators from more than 60 organizations. OCSF includes collaborators from educational institutions and government agencies, showing the broad appeal and interest in producing an open security data standard for the benefit of cybersecurity as a whole.

But I’m not writing just to give an update on OCSF membership. This week, at AWS re:Invent, Amazon Web Services (AWS) announced Amazon Security Lake, the first service that utilizes OCSF as the data schema foundation. Amazon Security Lake is in public preview and allows customers to build a security data lake from integrated cloud and on-premises data sources and from their private applications. With Amazon Security Lake, customers can use the security and analytics solutions of their choice to query and analyze that data in place or ingest the OCSF-compliant data to perform advanced analytics and investigations.

Splunk is proud to be one of the early partners of Amazon Security Lake and a leading member of the community implementing OCSF standards that benefit the broader cybersecurity community. In conjunction with the public beta, Splunk has released a public preview of Splunk Add-On for Amazon Security Lake to our Splunkbase content marketplace. This service allows the Splunk platform to efficiently ingest the OCSF-compliant data from Amazon Security Lake, enabling security teams to easily use this data to improve threat detection, investigation and response.

Joint Splunk and AWS customers can benefit significantly from this integration as it delivers one of the big benefits of OCSF, namely the simplification of sharing and analyzing disparate security data by eliminating the step of normalizing the data first. By storing data in OCSF-compliant format, Amazon Security Lake simplifies the work it takes to ingest and analyze security data within Splunk by being a single feed to manage versus multiple services coming from AWS or other Amazon Security Lake security partners.

This work would not have been possible without the long-standing strategic collaboration between Splunk and AWS, which celebrates its tenth year this year. Splunk and AWS are committed to working together to deliver compelling solutions to our joint customers that empower them to solve their most significant business data challenges. This collaboration is just the latest in a long line of high impact innovations that has elevated security operations for our joint customers.


Back in August, we laid out the vision to establish a foundation to help unburden security teams of the work required to collect and normalize security data so they can focus on the threat detection, investigation, and remediation work they are uniquely able to carry out. I am very proud of this first delivery toward that vision and am ever excited about what the future holds and the collaboration within our security community OCSF fosters.

To learn how to connect your Amazon Security Lake data with Splunk, head over to Splunk Add-On for Amazon Security Lake on Splunkbase or review the documentation first and get involved in the public preview program today.

Finally, if you’re attending AWS re:Invent this week in Las Vegas, I encourage you to stop by the Splunk booth (Booth #3516) to experience AWS & Splunk. Splunk is a Diamond sponsor of AWS re:Invent and will be hosting theater sessions, demos, meetings and even our very own McLaren simulator within the booth. Tom Smit, Principal Security Strategist at Splunk, will also be presenting a 60-minute speaking session, “Detecting SSRF attacks in AWS using Splunk'' on Wednesday at 3:15pm PST. To learn more about our presence at AWS re:Invent, check out our re:Invent microsite here.

Paul Agbabian
Posted by

Paul Agbabian

Paul is responsible for technology strategy and architecture for the Security business unit at Splunk. Prior to joining Splunk, Paul was a Broadcom Fellow and the Global CTO and Chief Architect of the Symantec Enterprise Security Business Unit.

Show All Tags
Show Less Tags