Minimal SIEM Ingestion/Search Contracts
Status
Contract accepted in ADR-0013. OP-012 now implements the minimal runtime for source registration, normalized ingest, ClickHouse-backed search, and deterministic rule execution. Receiver adapters, full query language, ML/anomaly detection, and full correlation remain future work.
Related Requirements
- Phase 1 includes SIEM lite at MVP depth.
- Rule-based deterministic alerting is the Phase 1 AI/detection posture.
- Tenant isolation, auditability, redaction, and API-first delivery are non-negotiable.
What Was Defined
- ADR-0013 for minimal SIEM ingestion/search.
- Log source registration/status API contracts.
- Received and normalized log event contracts.
- Normalized-only search API contract.
- Normalized event detail and alert linkage API contracts.
security.alert.createdas the SIEM detection event.- Relationship from SIEM detection to existing generic
alert.created. - Hot/warm/cold retention classes with tenant-configurable durations inside platform bounds.
- Redaction and raw payload reference boundaries.
APIs / Events / Schemas
Events:
log.source.registeredlog.event.receivedlog.event.normalizedsecurity.alert.created
API surfaces:
GET /api/v1/siem/log-sourcesPOST /api/v1/siem/log-sourcesGET /api/v1/siem/log-sources/{source_id}PATCH /api/v1/siem/log-sources/{source_id}POST /api/v1/siem/logs/searchGET /api/v1/siem/logs/{normalized_event_id}GET /api/v1/siem/alerts/{alert_id}/events
Validation
make validate-contracts
.venv/bin/python -c "import yaml; yaml.safe_load(open('specs/openapi.yaml')); yaml.safe_load(open('specs/asyncapi.yaml')); print('yaml ok')"
make docs-build
make test-sqlite
Remaining Limitations
- No syslog receiver runtime.
- No OTel, Fleet, osquery, cloud, or application-log bridge runtime.
- No SIEM query language.
- No ML/anomaly detection.
- No rule-engine expansion beyond deterministic contract shape.
- No full SIEM correlation/search engine.
Follow-Up Work
- Freeze auditor export/redaction contracts before raw log exports or auditor-safe SIEM exports.
- Add syslog/TLS, OTel, Fleet, osquery, cloud, and application-log adapters only through scoped future runtime branches.