Minimal SIEM Runtime

Status

Implemented for OP-012. OneProtect can register tenant log sources, ingest bounded normalized log events, store/search normalized events in ClickHouse, run deterministic SIEM rules, and project SIEM detections into the existing generic alert/ticket/evidence flow.

What Was Implemented

Postgres/RLS-backed log_sources.
ClickHouse-backed normalized_log_events.
API-backed log source registration, status, ingest, search, and detail.
Worker handling for log.event.received when NATS is the event bus backend.
Deterministic SIEM rules for failed login threshold, privilege escalation, stopped critical service, unauthorized access, configuration changes, and the OP-055 expanded 20-rule catalog.
security.alert.created emission with generic alert.created projection.
/console/logs reads real log-source and normalized-search APIs.

APIs / Events / Schemas

APIs:

POST /api/v1/log-sources
GET /api/v1/log-sources
GET /api/v1/log-sources/{source_id}
PATCH /api/v1/log-sources/{source_id}
POST /api/v1/logs/ingest
GET /api/v1/logs/search
GET /api/v1/logs/{event_id}

Events:

log.source.registered
log.event.received
log.event.normalized
security.alert.created
downstream generic alert.created

Validation

make validate-contracts
make typecheck-python
make lint
make test-sqlite
make docs-build

Security / Tenant Isolation

Tenant scope always comes from AuthContext and Postgres RLS, never from log payloads or query parameters. Search and event-detail APIs return normalized fields and bounded redacted summaries only. Raw payload export, richer redaction policy application, and auditor export workflows remain governed by ADR-0014.

Known Limitations

No syslog receiver runtime.
No OTel, Fleet, osquery, cloud, or application-log bridge runtime.
No custom SIEM query language.
No ML/anomaly detection.
No full correlation/search engine.

Status​

What Was Implemented​

APIs / Events / Schemas​

Validation​

Security / Tenant Isolation​

Known Limitations​