Editorial illustration for AWS and Splunk launch OCSF with contributions from Symantec, Broadcom, Cloudflare
AWS and Splunk Unite to Simplify Cybersecurity Logs
AWS and Splunk launch OCSF with contributions from Symantec, Broadcom, Cloudflare
Security teams have long wrestled with a flood of logs that speak different dialects. When an incident surfaces, analysts must translate data from firewalls, endpoint agents, cloud services and SaaS platforms before they can stitch a coherent picture. That translation step eats time, introduces errors, and often stalls response.
A shared schema promises to cut through the noise, giving each tool a common vocabulary so alerts can be correlated automatically. Imagine a world where a breach alert from a firewall lands in the same format as a credential‑theft warning from an identity provider—no custom parsers, no manual mapping. That promise is the engine behind the Open Cybersecurity Schema Framework, or OCSF.
It aims to be the lingua franca that security operations have been missing, letting vendors and customers speak the same language without sacrificing the depth of their own data. The project was announced in August 2022 by Amazon AWS and Splunk, building on work contributed by Symantec, Broadcom, and other well‑known infrastructure giants …
The project was announced in August 2022 by Amazon AWS and Splunk, building on worked contributed by Symantec, Broadcom, and other well known infrastructure giants Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler. The OCSF community has kept up a steady cadence of releases over the last two years The community has grown quickly. AWS said in August 2024 that OCSF had expanded from a 17-company initiative into a community with more than 200 participating organizations and 800 contributors, which expanded to 900 wen OCSF joined the Linux Foundation in November 2024.
OCSF is showing up across the industry In the observability and security space, OCSF is everywhere. AWS Security Lake converts natively supported AWS logs and events into OCSF and stores them in Parquet. AWS AppFabric can output OCSF -- normalized audit data.
AWS Security Hub findings use OCSF, and AWS publishes an extension for cloud-specific resource details. Splunk can translate incoming data into OCSF with edge processor and ingest processor. Cribl supports seamless converting streaming data into OCSF and compatible formats.
Palo Alto Networks can forward Strata sogging Service data into Amazon Security Lake in OCSF. CrowdStrike positions itself on both sides of the OCSF pipe, with Falcon data translated into OCSF for Security Lake and Falcon Next-Gen SIEM positioned to ingest and parse OCSF-formatted data. OCSF is one of those rare standards that has crossed the chasm from an abstract standard into standard operational plumbing across the industry.
AI is giving the OCSF story fresh urgency When enterprises deploy AI infrastructure, large language models (LLMs) sit at the core, surrounded by complex distributed systems such as model gateways, agent runtimes, vector stores, tool calls, retrieval systems, and policy engines.
Will a shared language finally ease the burden of translating security data? The Open Cybersecurity Schema Framework (OCSF) aims to do exactly that, offering a common structure for events, findings, objects and context. Launched in August 2022 by AWS and Splunk, the effort builds on work contributed by Symantec, Broadcom and a roster of infrastructure leaders including Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro and Zscaler.
Its promise is simple: reduce the time spent renaming fields and reconciling formats. Yet adoption remains uncertain; the industry has yet to co‑ordinate around a single schema at scale.
If vendors embrace OCSF, analysts say integration could become less of a patchwork. Conversely, entrenched proprietary models may slow progress. The framework is positioned as one of the strongest candidates for a unified data language, but whether it will achieve broad consensus is still unclear.
For now, OCSF represents a collaborative attempt to standardise security telemetry, and its future impact will depend on how quickly the community moves beyond competing formats.
Further Reading
- Papers with Code - Latest NLP Research - Papers with Code
- Hugging Face Daily Papers - Hugging Face
- ArXiv CS.CL (Computation and Language) - ArXiv
Related Reading
Business & Startups OpenAI, a Series F San Francisco startup founded in 2015 by eight pioneers
Business & Startups Terminal-Bench 2.0 launches with Harbor, testing any container-installable agent
Business & Startups Zuckerberg Unveils Meta Compute to Build Global AI Infrastructure
Related Topic Amazon’s Spring Sale Offers AI‑Powered Bird Feeder for Migration Season
AI Tools & Apps
Related Topic Cloudflare outage follows Azure and AWS issues within a recent week
LLMs & Generative AI
From Archives OpenAI AGI chief takes leave as company buys viral talk show TBPN today
From Archives AI helps solo founder reach billion‑dollar status; Vanta adds security automation
From Archives Hachette withdraws Shy Girl horror novel amid AI usage concerns
Research & Benchmarks
From Archives Trump urges Congress to preempt state AI laws, avoid fifty discordant rules
Policy & Regulation
Common Questions Answered
What is the primary goal of the Open Cybersecurity Schema Framework (OCSF)?
The OCSF aims to create a common language and structure for security logs and events across different tools and platforms. By establishing a shared schema, it helps security teams quickly correlate and understand alerts from various sources, reducing translation time and potential errors during incident response.
Which major technology companies are contributing to the OCSF initiative?
The OCSF was initially launched by AWS and Splunk in August 2022, with significant contributions from companies like Symantec, Broadcom, Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, and others. The project has grown from an initial 17-company collaboration to a broader community working on standardizing cybersecurity event reporting.
How does the OCSF help address challenges in security log management?
The OCSF tackles the problem of disparate log formats by providing a common vocabulary and structure for security events across different platforms and tools. This approach eliminates the need for manual translation of logs from firewalls, endpoint agents, cloud services, and SaaS platforms, thereby streamlining incident response and reducing potential errors.