Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake Integration

Learn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.

Overview of AppFabric

AppFabric is a service that standardizes and centralizes audit logs from SaaS applications. The multiple SaaS tools used by enterprises (Okta, Google Workspace, Slack, Salesforce, Microsoft 365, etc.) each have their own log formats and APIs, and cross-cutting security analysis previously required developing individual connectors. AppFabric automatically converts these audit logs to OCSF (Open Cybersecurity Schema Framework) format and delivers them to S3 or Security Lake. This eliminates the need to develop and maintain connectors, and adding new SaaS applications requires only configuration. As of 2024, support includes major SaaS platforms such as Okta, Microsoft 365, Google Workspace, Slack, Zoom, Dropbox, Asana, and Webex by Cisco, with the supported list continuously expanding.

Log Standardization and Analysis

Each SaaS application uses its own log format, making cross-cutting analysis difficult. By standardizing to OCSF format, AppFabric enables unified analysis of "which user performed which action in which SaaS application." OCSF is an open schema under the Linux Foundation that defines common fields for each event category such as Authentication, Authorization, File Activity, and API Activity. This standardization enables cross-searching Okta login failures and Microsoft 365 unauthorized access attempts with the same query. Delivering to Security Lake lets you integrate SaaS logs with CloudTrail, VPC Flow Logs, and GuardDuty findings to understand the security posture of the entire organization. For user access visibility, you can detect SaaS accounts with no login activity for 30 days or more and use the findings for license optimization.

Integration with Security Lake

When you specify Security Lake as AppFabric's output destination, SaaS audit logs are ingested into Security Lake in OCSF format and can be analyzed alongside AWS service logs (CloudTrail, VPC Flow Logs). Use Athena to run cross-service queries like "all SaaS applications accessed by a specific user in the past 24 hours" to streamline insider threat and account compromise investigations. Direct output to S3 is also available for forwarding logs to existing SIEMs (Splunk, Datadog). In AppFabric's ingestion settings, you register authentication credentials for each SaaS application and configure the log retrieval interval. To deepen your understanding of AppFabric, specialized books on Amazon can also be helpful.

Use Cases and Deployment Patterns

AppFabric's primary use cases fall into three categories. First is security incident investigation: detecting anomalous behavior such as a departing employee downloading large volumes of files or logins from unusual countries by cross-referencing logs from multiple SaaS applications. Second is compliance auditing: SOC 2 and ISO 27001 certifications require evidence trails of "who accessed which SaaS when," and querying AppFabric-aggregated logs directly via Athena reduces audit response effort. Third is SaaS license optimization: visualizing active user counts and informing decisions to cancel unused licenses. As a deployment pattern, it is effective to first connect identity platforms (Okta/Azure AD) and file sharing (Google Drive/SharePoint), starting with visibility into the highest-risk operations (permission changes, external sharing).

Pricing and Limitation Considerations

AppFabric is billed based on the number of events ingested, at approximately $0.50 per million events. Costs vary depending on the usage scale of your SaaS applications. Output to Security Lake is included in AppFabric pricing, but Security Lake storage and Athena query charges are billed separately. An important limitation to note is that AppFabric specializes in audit logs (who did what) and does not retrieve content data within SaaS applications (email bodies, file contents). Additionally, since supported SaaS is being expanded incrementally, you need to verify in advance whether the SaaS applications used by your organization are on the supported list. Retrieval intervals vary by SaaS, ranging from near-real-time to several hours of delay, so for time-critical detection, consider combining with GuardDuty or similar services. For cost management, it is recommended to introduce SaaS applications incrementally, starting with high-security-risk applications (authentication, file sharing).

Summary

AppFabric is a service that standardizes and centralizes audit logs from multiple SaaS applications in OCSF format. It unifies the proprietary log formats of each SaaS application and, through integration with Security Lake, enables cross-cutting analysis of cloud and SaaS security logs. It delivers practical value across three use cases - security incident investigation, compliance auditing, and license optimization - with configuration-based SaaS addition requiring no connector development.