feat: Add Support for Ocsf v1.5 in ParseToOCSF

packages/aws-cdk-lib/aws-logs/lib/transformer.ts

@@ -128,8 +128,20 @@ export enum OCSFVersion {
   /**
    * OCSF schema version 1.1.
    * @see https://schema.ocsf.io/1.1.0/
+   * 
+   * OCSF schema version 1.5
+   * @see https://schema.ocsf.io/1.5.0/
    */
   V1_1 = 'V1.1',
+  V1_5 = 'V1.5',
+}
+
+/**
+ * OCSF Mapping versions supported by transformers.
+ */
+export enum OCSFMappingVersion {
+  /** OCSF mapping version 1.5.0 */
+  V1_5_0 = 'v1.5.0',
 }
 
 /**
@@ -232,6 +244,11 @@ export interface ParseToOCSFProperty {
    * Version of OCSF schema to convert to.
    */
   readonly ocsfVersion: OCSFVersion;
+
+  /**
+   * The mapping version for OCSF v1.5 ParseToOCSF.
+   */
+  readonly mappingVersion?: OCSFMappingVersion;
 }
 
 /**
@@ -877,7 +894,7 @@ export class ParserProcessor implements IProcessor {
         }
         this.parseToOCSFOptions = {
           source: '@message',
-          ... props.parseToOCSFOptions,
+          ...props.parseToOCSFOptions,
         };
         break;
 
@@ -901,7 +918,16 @@ export class ParserProcessor implements IProcessor {
       case ParserProcessorType.GROK:
         return { grok: this.grokOptions };
       case ParserProcessorType.OCSF:
-        return { parseToOcsf: this.parseToOCSFOptions };
+        const ocsfConfig: any = {
+          source: this.parseToOCSFOptions?.source,
+          eventSource: this.parseToOCSFOptions?.eventSource,
+          ocsfVersion: this.parseToOCSFOptions?.ocsfVersion,
+        };
+        // Add mappingVersion if defined
+        if (this.parseToOCSFOptions?.mappingVersion !== undefined) {
+          ocsfConfig.mappingVersion = this.parseToOCSFOptions.mappingVersion;
+        }
+        return { parseToOcsf: ocsfConfig };
       default:
         throw new UnscopedValidationError(`Unsupported parser processor type: ${this.type}`);
     }

packages/aws-cdk-lib/aws-logs/test/transformer.test.ts

@@ -1,6 +1,6 @@
 import { Template } from '../../assertions';
 import { Stack } from '../../core';
-import { LogGroup, Transformer, ParserProcessor, JsonMutatorProcessor, VendedLogParser, StringMutatorProcessor, DataConverterProcessor, ParserProcessorType, JsonMutatorType, StringMutatorType, DelimiterCharacter, DataConverterType, TypeConverterType, QuoteCharacter, VendedLogType, OCSFSourceType, OCSFVersion } from '../lib';
+import { LogGroup, Transformer, ParserProcessor, JsonMutatorProcessor, VendedLogParser, StringMutatorProcessor, DataConverterProcessor, ParserProcessorType, JsonMutatorType, StringMutatorType, DelimiterCharacter, DataConverterType, TypeConverterType, QuoteCharacter, VendedLogType, OCSFSourceType, OCSFVersion, OCSFMappingVersion } from '../lib';
 
 describe('transformer', () => {
   // Parser Processor tests
@@ -289,6 +289,42 @@ describe('transformer', () => {
     });
   });
 
+  test('create a OCSF v1.5 parser transformer against a log group', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    const logGroup = new LogGroup(stack, 'aws_cdk_test_log_group');
+
+    const ocsfParser = new ParserProcessor({
+      type: ParserProcessorType.OCSF,
+      parseToOCSFOptions: {
+        eventSource: OCSFSourceType.VPC_FLOW,
+        ocsfVersion: OCSFVersion.V1_5,
+        mappingVersion: OCSFMappingVersion.V1_5_0,
+      },
+    });
+
+    new Transformer(stack, 'Transformer', {
+      transformerName: 'MyTransformer',
+      logGroup: logGroup,
+      transformerConfig: [ocsfParser],
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Logs::Transformer', {
+      LogGroupIdentifier: { Ref: 'awscdktestloggroup30AE39AB' },
+      TransformerConfig: [{
+        ParseToOCSF: {
+          Source: '@message',
+          EventSource: 'VPCFlow',
+          OcsfVersion: 'V1.5',
+          MappingVersion: 'v1.5.0',
+        },
+      }],
+    });
+  });
+
   // Json Mutator tests
   test('create a Add Key transformer against a log group', () => {
     // GIVEN