Amazon Security Lake using OCSF's Detection Finding event class
Hello!
I'm working on an integration for Wazuh and Amazon Security Lake as a custom source. Due to the nature of the events generated by Wazuh, and after performing an analysis of the event classes provided by OCSF, we decided to use the Detection Finding (2004) class, instead of the Security Finding class, which is tagged as deprecated. According to the docs, Amazon Security Lake supports OCSF v1.1.0, so using the Detection Finding class should be allowed, but to my surprise, this event class is not present in the dropdown selector when creating a custom source.
Any thoughts about this? How can we continue with the integration using the Detection Finding class?
- Newest
- Most votes
- Most comments
The issue you're facing with the missing "Detection Finding" event class in the Amazon Security Lake custom source creation process is likely due to a discrepancy between the OCSF specification version supported by Amazon Security Lake and the version you're referencing.
Here are a few things you can consider:
-
Verify the OCSF version supported by Amazon Security Lake: The Amazon Security Lake documentation states that it supports OCSF v1.1.0, but it's possible that the event class list in the custom source creation process lags behind the latest OCSF specification. You can try reaching out to AWS Support to confirm the exact OCSF version and event class support in the current implementation of Amazon Security Lake.
-
Review the latest OCSF specification: Check the latest OCSF specification (version 1.1.0 or higher) and see if the "Detection Finding" event class is indeed available. If it is, you may need to work with AWS to get the event class support added to the Amazon Security Lake custom source creation process.
-
Consider using a different event class: If the "Detection Finding" class is not available, you may need to explore alternative event classes that better fit the events generated by Wazuh. The "Security Finding" class, although deprecated, may still be a viable option, or you could use a more generic event class like "Observation" or "Information".
-
Implement a custom mapping: As a workaround, you could consider building a custom integration that maps the Wazuh events to the available OCSF event classes supported by Amazon Security Lake. This would require more development effort on your side, but it could provide a solution that fits your specific needs.
-
Provide feedback to AWS: You can reach out to AWS Support or the OCSF community to provide feedback about the missing "Detection Finding" event class in the Amazon Security Lake custom source creation process. This could help drive improvements and updates to the service's OCSF support.
In summary, the key steps are to:
- Confirm the exact OCSF version and event class support in Amazon Security Lake.
- Explore alternative OCSF event classes that may fit your use case.
- Consider implementing a custom mapping if necessary.
- Provide feedback to AWS to help improve the service's OCSF support.
By working through these steps, you should be able to find a viable solution for integrating Wazuh with Amazon Security Lake using the appropriate OCSF event class.
Relevant content
- asked 6 months ago
- asked 6 months ago
- asked 8 months ago
- asked 7 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hi Jon
Thanks for your reply.
How can I get in contact with AWS support about this matter?? The "Detection Finding" event class is indeed available in OCSF v1.1.0. I haven't tried to create the custom source from the AWS CLI yet. It's possible that the UI is outdated.
In fact, we have implemented a custom mapping to convert Wazuh security events to OCSF's Detection Finding class. I think we still have the mappings for the Security Finding class as it was our first approach, but if we can use the Detection Finding class that would be preferable of course.