Skip to content
Tenzir

Security Lake

Amazon Security Lake (ASL) is an OCSF event collection service.

Amazon Security LakeSecurity LakeS3 Bucket✅ Destination: one source per OCSF event class✅ Format: Apache Parquet✅ Schema: OCSF event class✅ Partitioning: <bucket>/ext/ /region= /accountId= /eventDay=✅ Format: Apache Parquet✅ Object size & rate: 5min – 1day, max. 256MB✅ Sorting: by time<custom-source-name><region><account-id><yyyyMMdd>

Tenzir can send events to ASL via the to_asl operator.

Configuration

Follow the standard configuration instructions to authenticate with your AWS credentials.

Set up a custom source in ASL and use its S3 bucket URI with the to_asl operator.

Examples

Send all OCSF Network Activity events from a Kafka topic to ASL

Given a AWS security lake running on eu-west-2, a custom source called tenzir_network_activity set up on that lake and an account with id 123456789012 for it:

let $s3_uri = "s3://aws-security-data-lake-eu-west-2-lake-abcdefghijklmnopqrstuvwxyz1234/ext/tenzir_network_activity/"


load_kafka "ocsf_events"
read_ndjson
where class_uid == ocsf::class_uid("Network Activity")
to_asl $s3_uri,
  region="eu-west-2",
  accountId="123456789012"