Skip to main content

SIEM

SIEM feature notes cover Phase 1 log ingestion, normalized event search, deterministic alerting, and related evidence/audit handoffs.

Current status:

  • Minimal SIEM ingestion/search contracts are accepted.
  • Minimal SIEM runtime is implemented for tenant log source registration, bounded normalized ingest, ClickHouse search, deterministic SIEM rules, and generic alert/ticket/evidence projection.
  • OP-055 expands the deterministic rule catalog from 5 to 20 with fixtures and alert projection compatibility.
  • Receiver adapters, full query language, ML/anomaly detection, and full correlation remain future work.