Discussion on SIEM Capabilities and Their Integration

TLDR Kaan suggested SIEM capabilities for a project, highlighted potential opportunities, and planned to test it over the weekend. Prabhat welcomed the suggestions and looked forward to feedback.

Photo of Kaan
Kaan
Thu, 15 Jun 2023 13:38:35 UTC

Hello all, have been following the project for some time. Looking forward to seeing the new features. I am a Cyber Security Professional, providing assistance/consultancy on defenders' side. If the solution could have SIEM capabilities (SIEM is a really broad term), it could open many other opportunities. I was going to try it myself this weekend. Wanted to ping and get opinions of other fellow Security Professionals here. 1. Sigma support would be like "low-hanging-fruit" 2. Correlation support between different category logs 3. Threat Intel Integration - Other products lets users define lists, variables (and getting these via integrations with 3rd party apps) to let User easily search. Ex: 3rd party threat intel provider provides list of IP, HASH indicators (IOCs) and Log Management product product lets user inject these as variables to queries. Regards.

Photo of Prabhat
Prabhat
Thu, 15 Jun 2023 13:44:55 UTC

Hi Kaan, Thanks for pitching in. This is really interesting. 1. We have seen Sigma, but have been holding on as we are still focusing on the core.

Photo of Prabhat
Prabhat
Thu, 15 Jun 2023 13:45:41 UTC

2. Correlation support between different kinds of logs by joining attributes is a feature that we have on our roadmap and will be available soon

Photo of Prabhat
Prabhat
Thu, 15 Jun 2023 13:46:57 UTC

3. We haven't dealt personally with this and are not very knowledgeable in this area much and certainly could use some help.

Photo of Prabhat
Prabhat
Thu, 15 Jun 2023 13:47:15 UTC

That being said we are currently focusing on application observability for now

Photo of Prabhat
Prabhat
Thu, 15 Jun 2023 13:47:33 UTC

correlation engine will act well for both

Photo of Kaan
Kaan
Thu, 15 Jun 2023 13:49:07 UTC

Thanks for the quick reply, no worries. Yes, it could provide opportunity for users to corelate. Looking forward to testing it with some log sources I have in weekend.

Photo of Prabhat
Prabhat
Thu, 15 Jun 2023 13:49:52 UTC

Would love to get your feedback once you are able to play with it.

OpenObserve Logo

OpenObserve

Indexed 419 threads

OpenObserve is an open-source, petabyte-scale observability platform for the cloud native realm, offering a 10x cost reduction and 140x less storage use compared to competitors like Elasticsearch or Splunk. Built in Rust for exceptional performance, it offers comprehensive features like logs, metrics, traces, dashboards, and more | Knowledge Base powered by Struct.AI

View in App

Similar Threads

Discussion on RUM Feature, SIEM, Data Sources, and OpenObserve
Understanding and Integrating with OpenObserve
ZincObserve Installation Issue - Email and Env variables
Metrics Page Support and Improving Multi-Host Filtering
Feedback on Implementing Prometheus Query Interface for ZincObserve