AWS Security Lake
Choose this destination when your collectors should land OCSF-shaped logs in Amazon Security Lake. The exporter groups records by custom source, event day, and OCSF class_uid, writes ZSTD-compressed Parquet per group, and uploads objects to your Security Lake S3 bucket using the partition layout Security Lake expects (ext/{source}/region=…/accountId=…/eventDay=YYYYMMDD/…).
Supported types: Logs
In the Praxis UI the node appears as AWS Security Lake. Authentication uses the AWS SDK default credential chain (environment, instance/profile role, and so on) plus an optional assume-role ARN—there is no separate Praxis credential type for this exporter.
Shape of incoming logs
Each log record’s body should be a map that includes at least:
class_uid— OCSF class identifier; must match one of the class IDs you map to a Security Lake custom source.time— Event time used for partitioning and Parquet layout.
Normalize or parse upstream so records meet OCSF expectations before they reach this destination.
Core configuration
| Parameter | Description |
|---|---|
| AWS Region | Region of the Security Lake bucket (for example us-east-1). |
| Security Lake S3 bucket | Bucket name provisioned for your Security Lake data lake. |
| AWS Account ID | Account segment in the partition path. For non-AWS or partner sources, your Security Lake docs may specify literals such as external or external_{accountId}. |
| OCSF version | Schema version for bundled Parquet metadata (for example 1.3.0). |
| Custom sources | One row per OCSF class_uid you emit, mapped to a custom source name that is already registered in Security Lake. |
Optional settings
| Parameter | Description |
|---|---|
| Assume-role ARN | IAM role to assume for S3 writes—often the provider role Security Lake creates per custom source (for example AmazonSecurityLake-Provider-{name}-{region}). |
| S3 endpoint override | Regional endpoint override (VPC endpoints, testing). |
Advanced (optional)
Timeout, retry, and backpressure queue settings can be adjusted when your environment needs different failure or buffering behavior.
Collector version
This destination requires a Praxis Collector build that includes the Security Lake exporter (see Supports agent version in the product). Upgrade collectors if the node is not available on older agents.
See also
- Integrations — Browse all sources, processors, and destinations.
- Microsoft Sentinel — Logs Ingestion API to Azure Monitor / Sentinel.
- AWS S3 — General-purpose S3 export (not Security Lake’s mandated layout).