Skip to content

Security Lake

Amazon Security Lake is an OCSF event collection service.

Amazon Security LakeSecurity LakeS3 Bucket✅ Destination: one source per OCSF event class✅ Format: Apache Parquet✅ Schema: OCSF event class✅ Partitioning: <bucket>/ext/ /region= /accountId= /eventDay=✅ Rate: 5min – 1day✅ Sorting: by time<custom-source-name><region><account-id><yyyyMMdd>

Tenzir can send events to ASL via the to_amazon_security_lake operator.

Configuration

Section titled “Configuration”

Follow the standard configuration instructions to authenticate with your AWS credentials.

Set up a custom source in Amazon Security Lake and use its S3 bucket URI with the to_amazon_security_lake operator.

Examples

Section titled “Examples”

Send all OCSF Network Activity events from a Kafka topic to ASL

Section titled “Send all OCSF Network Activity events from a Kafka topic to ASL”

Given a AWS security lake running on eu-west-2, a custom source called tenzir_network_activity set up on that lake and an account with id 123456789012 for it:

let $s3_uri = "s3://aws-security-data-lake-eu-west-2-lake-abcdefghijklmnopqrstuvwxyz1234/ext/tenzir_network_activity/"


load_kafka "ocsf_events"
read_ndjson
where class_uid == ocsf::class_uid("Network Activity")
to_amazon_security_lake $s3_uri,
  region="eu-west-2",
  accountId="123456789012"

Last updated: