Editorial illustration for AWS and Splunk launch OCSF with contributions from Symantec, Broadcom, Cloudflare
AWS and Splunk Unite to Simplify Cybersecurity Logs
AWS and Splunk launch OCSF with contributions from Symantec, Broadcom, Cloudflare
Most security tools are chatty, but they don't speak the same language. For years, vendors cranked out logs in proprietary formats, forcing analysts to waste time on translation instead of actual threats. That era is ending.
The Open Cybersecurity Schema Framework, or OCSF, has become real infrastructure. Launched two years ago by AWS and Splunk with a handful of others, it now has over 200 organizations and 900 contributors shaping it under the Linux Foundation. The goal was always to build a shared data schema. The urgency now comes from AI.
Modern AI deployments are sprawling things. Large language models sit at the center of a messy solar system: gateways, agents, vector stores, policy engines. Each component generates telemetry.
Without a common way to describe that data, the result is a deafening cacophony of alerts. OCSF is becoming the standard vocabulary to make sense of it.
In the observability and security space, OCSF is everywhere. AWS Security Lake converts natively supported AWS logs and events into OCSF and stores them in Parquet.
Adoption has moved beyond pledges. AWS uses OCSF as the native format for its Security Lake. Splunk and Cribl can translate data into it.
Palo Alto Networks and CrowdStrike are wired in. It's the pipe connecting major platforms.
This matters because standards usually fail. They get debated in committees and rot as PDFs. OCSF escaped that fate.
It became operational plumbing before most people noticed. AI's complexity is now guaranteeing its future. The framework turns a firehose of machine-generated events into something a model, or a human, can actually parse.
It makes machine-speed analysis possible.
The quiet consensus among big vendors means the question is shifting. It's no longer if your tools will support OCSF, but when you'll start demanding they do. The cost of ignoring a common language is rising fast.
Common Questions Answered
What is the primary goal of the Open Cybersecurity Schema Framework (OCSF)?
The OCSF aims to create a common language and structure for security logs and events across different tools and platforms. By establishing a shared schema, it helps security teams quickly correlate and understand alerts from various sources, reducing translation time and potential errors during incident response.
Which major technology companies are contributing to the OCSF initiative?
The OCSF was initially launched by AWS and Splunk in August 2022, with significant contributions from companies like Symantec, Broadcom, Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, and others. The project has grown from an initial 17-company collaboration to a broader community working on standardizing cybersecurity event reporting.
How does the OCSF help address challenges in security log management?
The OCSF tackles the problem of disparate log formats by providing a common vocabulary and structure for security events across different platforms and tools. This approach eliminates the need for manual translation of logs from firewalls, endpoint agents, cloud services, and SaaS platforms, thereby streamlining incident response and reducing potential errors.
Further Reading
- Papers with Code - Latest NLP Research — Papers with Code
- Hugging Face Daily Papers — Hugging Face
- ArXiv CS.CL (Computation and Language) — ArXiv