Introducing the OCSF Mapping App: Streamlining Security Log Normalization with AI

We're excited to announce the public release of our OCSF Mapping App, an open community tool designed to address the technical complexities of normalizing different log types into the standardized Open Cybersecurity Schema Framework (OCSF) format through a systematic approach 

The Challenge of Security Log Normalization

Security log normalization is a fundamental challenge in security engineering. Each security product generates proprietary log formats, creating a fragmented data ecosystem that hinders effective analysis. While the Open Cybersecurity Schema Framework (OCSF) offers a promising standardization solution, implementing it has traditionally required specialized expertise and significant engineering resources.

Introducing the OCSF Mapping App

The OCSF Mapping App is an AI powered solution designed to address the complexity of security log normalization. It provides a systematic approach to transforming diverse security data into standardized OCSF format without requiring users to have advanced knowledge of OCSF taxonomy or data transformation languages.:

• AI-Assisted Mapping: Automatically analyzes your logs and suggests appropriate mappings to OCSF schema classes

• Support for Multiple Log Formats: Works with both structured JSON logs and unstructured text logs

• Pre-Built Templates: Start with templates for common log sources like AWS CloudTrail, GitHub Audit Logs, Cisco ASA, and Windows Event Logs

• Visual Editor: Easily customize mappings through an intuitive interface

• Real-Time Testing: Verify your mappings with sample logs before deployment

Documentation of the OCSF mapping app can be found here.

A Complete Solution with ZephFlow

The OCSF Mapping App is part of a comprehensive solution for security log normalization:

1. Develop Mappings: Create and test your mapping configurations in the OCSF Mapping App

2. Export Configurations: Download your mapping configurations and use it to setup ZephFlow, our lightweight open source execution engine, to apply these mappings to live log streams

Decoupling the creation of mappings from their implementation provides you with complete flexibility in how and where you deploy your log processing pipeline. To learn how to configure ZephFlow to transform Cisco ASA logs into OCSF format, refer to this tutorial.

Practical Application

The system has been field-tested with various security log sources, including:

• Network Security Devices: Parse and normalize Cisco ASA firewall logs

• Cloud Service Logs: Transform logs from AWS, Azure, and GCP

• Application Logs: Standardize logs from modern applications and APIs

• Security Tool Outputs: Convert proprietary security tool formats to OCSF

For example, the app can take complex Cisco ASA logs with different message types (106023, 302013, 305011, etc.) and transform them into a standardized OCSF format that's ready for analysis or storage.

Engineers maintain full control over the mapping process while eliminating repetitive tasks. The system produces readable, maintainable, and versionable mapping configurations.

Community Contribution

This project aims to advance the security community's adoption of standardized log formats. By removing technical barriers, we hope to accelerate the implementation of OCSF across diverse security environments and strengthen the cybersecurity ecosystem through shared, interoperable data models.

Join the OCSF Community

The OCSF Mapping App is available as a free tool at https://app.ocsf.fleak.ai/ for all security practitioners. We welcome the entire security community to use this application and contribute to the OCSF framework. If you're interested in becoming a key mapping template contributor or have technical feedback, please contact us at contact@fleak.ai or message us in the OCSF Slack channel. Together, we can build a more standardized approach to security data.