> SIEM detection rules ... on our roadmap<p>The current solution in this space, that actually works really well at scale, is ElastAlert[0]. The problem is that ElastAlert is kind of a mess to work with. Lots of documentation, but you need to get into the weeds with it to figure out how it really functions.<p>Once you get it going it's a great tool. Scaling it out (we run hundreds of rules pretty frequently - upwards of 15 times an hour) is just standing up more instances with their own separate rules.<p>[0] <a href="https://github.com/Yelp/elastalert" rel="nofollow">https://github.com/Yelp/elastalert</a>
I always find that Elastic assumes decent familiarity with their products even when "introducing" them. Everything looks beautiful but I can't quite tell what different tools do.
So for those interested Mozilla is working on something pretty similar.<p><a href="https://mozdef.readthedocs.io/en/latest/" rel="nofollow">https://mozdef.readthedocs.io/en/latest/</a><p>They have a set of docker containers which I find very handy for spinning up deploy specific logging sinks or full on SIEMs.
Seems like the natural evolution of the already popular ELK stack. I hope they add popular siem features like archiving, alerting, central configuration management etc. I'll stick with graylog for now.
I was at a workshop a couple days ago, pretty worthwhile and they were pretty excited about something coming out in security - I guess this is it.<p>Seems a logical progression from Kibana and Logstash - but sometimes I worry search will suffer for all this other stuff.