Skip to main content

Cribl introduces AWS Security Hub extension for OCSF

December 2, 2025

Cribl introduced an enhanced extension for AWS Security Hub that converted security findings into the Open Cybersecurity Schema Framework (OCSF) and routed those findings to Cribl Lake for long-term retention, a change described as intended to help correlate threats and support incident response.

The release positioned the integration to work with AWS Security Hub’s centralized management of Security Operations (SecOps), enabling Security Hub events to be examined within Cribl Search alongside other security data and reducing the need to move between separate tools.

Cribl Stream added the dedicated extension for AWS Security Hub to collect findings, transform them into OCSF version 1.6 with AWS-specific resource details such as Amazon Resource Names, tags, and configuration attributes, and forward the normalized records to Cribl Lake or other destinations. The integration included EventBridge support to observe Security Hub findings and related AWS logs such as CloudTrail, and Cribl Search provided query capabilities over those events.

Cribl described the work as supporting aggregated security findings into a single view, enabling a standardized OCSF format with AWS context, and allowing correlation across telemetry systems; Cribl also noted that Cribl Copilot Editor used Artificial Intelligence (AI) to recommend mappings to OCSF, which reduced manual pipeline development. Cribl acted as a launch partner for the new AWS Security Hub, and the added capability in the AWS Security Hub extension in Cribl Stream was available today.

“The ultimate goal for every security team is fast, precise incident response. But you can't get there when your data is spread across multiple tools and does not give you real-time views into these events,”said Abby Strong, Chief Market and Customer Officer at Cribl. “By allowing users to query data stored in Cribl Lake, other object stores, and the Security Hub findings, security professionals can quickly correlate past incidents with real-time events.”

Related Perspectives