In technology, the proof of a lasting relationship is in the infrastructure — the pipelines, security services, and log plumbing have to work seamlessly together long before anyone sees the outcome.
That’s precisely what Sumo Logic and AWS have built. Aligned around open standards like OCSF (Open Cybersecurity Schema Framework), integrated with services like Security Hub and GuardDuty, and connected through shared telemetry, it makes cloud security and observability possible at scale. It’s not casual, not transactional, but a partnership engineered over time to show up in the hard parts — shared tooling, consistent expectations, and solving the plumbing so customers can focus on the real work that matters most.
Together, we’ve made AWS findings flow natively into Sumo Logic through OCSF, reducing the need for custom mapping. We’ve connected to Amazon Security Lake so customers can centralize cloud telemetry without building their data pipelines. And we’ve extended joint capabilities into AI and ML with services like Amazon Bedrock, enabling faster detection, investigation, and response on top of a trusted foundation. These aren’t point integrations; they result from years of alignment that let security and observability teams spend less time wrangling data and more time defending, building, and delivering.
What changed in Security Hub — and why it matters
AWS has focused on three practical problems security teams face daily: signal fragmentation, lack of context, and the cost of custom mapping.
First, Security Hub now produces Exposure Findings. Instead of siloed alerts, findings are correlated across GuardDuty, Inspector, and Macie to highlight which exposures truly matter. Prioritization factors include exploitability, impact, and resource exposure, turning noise into a clear to-do list. For example, suppose GuardDuty flags unusual API calls, Inspector shows a critical vulnerability, and Macie identifies sensitive data. In that case, Security Hub produces one Exposure Finding: this internet-exposed EC2 instance is vulnerable, contains sensitive data, and is under active reconnaissance. In Sumo Logic, that finding flows directly into the entity context, tied to user behavior and other telemetry so that analysts can see the complete risk picture in one view.
Second, Security Hub groups findings across services so teams can see relationships between a threat, a vulnerability, and a misconfiguration. Correlated insights give teams the context to move from triage to remediation. For example, a GuardDuty alert on suspicious scanning, combined with an Inspector finding of an open SSH port and a Config misconfiguration of IAM permissions, creates a narrative: this asset may be vulnerable, misconfigured, or actively targeted. Sumo Logic ingests that grouped view, aligns it with MITRE ATT&CK techniques, and connects it to workflows and playbooks, so analysts can quickly pivot from “what happened” to “what to do.”
Third, AWS has baked OCSF into the flow. Findings are delivered in OCSF, and automation rules can act on those attributes without custom parsing. For example, if Severity = High and ResourceType = EC2, then isolate the instance. Because Sumo Logic natively supports OCSF, those attributes stream cleanly into dashboards, analytics, and automation, making response consistent across AWS and hybrid environments.
OCSF: the plumbing that actually matters
OCSF is an open schema designed to make event and finding formats predictable and versioned. AWS and other industry participants have been pushing OCSF into services like Security Lake and Security Hub, so telemetry gets normalized earlier and more consistently. When logs and findings follow a standard schema, integrations stop being one-off engineering projects.
For customers, that has three immediate effects:
- Less brittle engineering. You don’t need dozens of custom parsers for every new source or vendor.
- Faster time to insight. Normalized data can feed detections and dashboards immediately.
- Better automation. When automation rules operate on predictable fields, playbooks run reliably.
OCSF’s momentum is visible inside and outside AWS. AWS Security Lake normalizes logs into OCSF classes, and the broader community is working on governance so the schema can evolve without breaking consumers. Adopting OCSF now isn’t just convenient — it’s future-proofing.
Sumo Logic delivers real outcomes, not another format
Sumo Logic’s native OCSF support for Security Hub findings means customers don’t have to be translators. Findings flow into Sumo Logic already mapped to OCSF, which delivers three practical outcomes:
- Day-one usability. Findings are actionable the moment they arrive — usable in detections, investigations, and reports without writing custom transformations.
- Contextual correlation. Security Hub findings appear alongside logs, VPC flows, CloudTrail events, and other telemetry in Sumo Logic so analysts see the whole story.
- Standards alignment. Because the data follows OCSF, customers can reuse pipelines and automation across tools and avoid vendor lock-in.
That’s the point: stop treating normalization as a sunk engineering tax. Let analysts do the analysis. Let detection engineers tune the rules. Let SRE and cloud teams focus on fixing exposures. Sumo Logic and AWS together remove the “plumbing” overhead.
What this means to SecOps leaders
This update matters for leaders because it impacts metrics they care about: mean time to detect (MTTD), mean time to respond (MTTR), and total operational cost.
- POCs and trials run faster. AWS is often the first stop in a customer evaluation. When the Security Hub → Sumo Logic path doesn’t require mapping work, POCs show value faster and with fewer resources.
- Lower engineering drag. Engineers stop maintaining brittle ETL scripts and can focus on higher-value automation.
- Cleaner compliance reporting. Standardized findings are simpler to roll into audit reports and compliance dashboards.
- Better cross-tool interoperability. OCSF alignment makes mixing and matching best-of-breed tooling practical without the cost of bespoke integration work.
This helps security teams operate at cloud speed without burning out the people who do the heavy lifting.
The power of true collaboration
Sumo Logic and AWS have a long history of building together, always with customer outcomes in mind. As an AWS Launch Partner holding both Security and Generative AI Competencies, we’ve focused on the engineering details that matter, such as aligning on standards like OCSF, streaming findings directly from Security Hub and Security Lake, and integrating with services like GuardDuty and Amazon Bedrock, as well as Amazon Nova models.
That plumbing work pays off for customers. Instead of juggling formats and consoles, teams get correlated findings, clear priorities, and automation-ready data that accelerates investigation and response, making cloud security and analytics operate as one system.
AWS is tightening the signals coming out of the cloud. OCSF gives those signals a grammar. Sumo Logic takes the grammar and turns it into answers. For security teams, that means fewer nights coding parsers and more time hunting real threats. If you’re running Security Hub, this is one of those pragmatic upgrades that changes your day-to-day experience. If evaluating cloud security platforms, prioritize solutions that already speak OCSF. Standards matter when you’re trying to scale detection, investigation, and response, and this is how standards start to matter: not in whitepapers, but in the shape of the work your team does every day.
Experience Sumo Logic in action. Request a free demo.
