parseToOCSF

The parseToOCSF processor converts logs into Open Cybersecurity Schema Framework (OCSF) events. OCSF is an open standard that provides a common schema for security data, enabling better interoperability and analysis across different security tools and platforms.

This processor is particularly useful for security analytics workflows where you need to standardize log formats from various AWS services into a consistent schema for downstream analysis.

Parameters

eventSource (required)

Specifies the AWS service or process that produces the log events to be converted. Valid values are:

CloudTrail - CloudTrail logs
Route53Resolver - Route 53 Resolver logs
VPCFlow - Amazon VPC Flow Logs
EKSAudit - Amazon EKS audit logs
AWSWAF - AWS WAF logs

ocsfVersion (required)

Specifies which version of the OCSF schema to use for the transformed log events. Currently supported version: V1.1

source (optional)

The path to the field in the log event that you want to parse. If omitted, the entire log message is parsed.

Example

The following example shows how to use parseToOCSF to convert VPC Flow Logs to OCSF format:


{
  "parseToOCSF": {
    "eventSource": "VPCFlow",
    "ocsfVersion": "V1.1"
  }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions