AWS AppFabric
A service that normalizes security logs from SaaS applications into OCSF format, enabling centralized auditing and security analysis
Overview
AWS AppFabric is a service that collects security-related logs from multiple SaaS applications used by enterprises (Google Workspace, Microsoft 365, Salesforce, Slack, Zoom, etc.), normalizes them into OCSF (Open Cybersecurity Schema Framework) format, and provides centralized management. Since each SaaS provides audit logs in its own proprietary format, cross-platform analysis was previously difficult. AppFabric converts them into a common schema, enabling unified analysis of user behavior across different SaaS platforms. Normalized logs can be output to S3 or Security Lake, facilitating analysis with Athena or OpenSearch and integration with SIEM tools. It can be used for shadow IT detection and early identification of insider threats.
App Bundle and Authentication Connection Setup
AppFabric configuration begins with creating an App Bundle. An App Bundle is the management unit for AppFabric, connecting multiple SaaS applications to a single bundle. Connections to each SaaS use either OAuth 2.0 authentication or API keys. For example, Google Workspace connects via OAuth 2.0, completing the authentication flow with an administrator account. Microsoft 365 connects through Azure AD app registration, granting the necessary API permissions (such as AuditLog.Read.All). Once connections are established, AppFabric periodically polls each SaaS's audit log API to retrieve new events. Retrieval intervals vary by service, but in most cases new logs are reflected with approximately 5-15 minutes of lag. Connection credentials are stored encrypted, and AppFabric manages automatic token refresh, eliminating the need for operators to manually refresh tokens.
OCSF Normalization and Log Destination Design
AppFabric's core capability is normalizing each SaaS's proprietary log format into OCSF (Open Cybersecurity Schema Framework). OCSF is a common schema for security events that uniformly represents event categories (authentication, access control, file operations, etc.), actors (who), targets (what), and outcomes (success/failure). For example, a Google Workspace login success event and a Microsoft 365 sign-in success event are both normalized as OCSF Authentication category with activity_id: Logon. Output destinations include S3 buckets and Amazon Security Lake. For S3 output, you can specify Parquet or JSON format. Parquet format excels in Athena query performance and is suited for analyzing large volumes of logs. Outputting to Security Lake enables cross-analysis with other AWS security logs such as CloudTrail and VPC Flow Logs. Output partitioning is automatically performed on a date basis, optimizing searches for specific time periods.
Security Analysis Use Cases and Operational Design
The primary use case for logs collected and normalized by AppFabric is detecting suspicious user behavior. For example, it can detect patterns across SaaS platforms such as the same user logging in from multiple countries in a short time (impossible travel), downloading large numbers of files not normally accessed (signs of data exfiltration), or administrative privilege changes occurring late at night (privilege escalation attacks). An effective automation pipeline in practice periodically runs Athena queries to detect events matching anomalous patterns and sends notifications via SNS. It can also be used for insider threat countermeasures by monitoring account activity of employees scheduled to leave and detecting bulk data downloads before departure. Cost-wise, AppFabric pricing is usage-based on event ingestion count, with separate S3 storage costs and Athena query costs. A design that sets log retention periods and migrates older logs to S3 Glacier via lifecycle rules is recommended for storage cost optimization. Supported SaaS applications are continuously being added, so it's important to verify target SaaS support in the official documentation before adoption.