Skip to main content

SIEM Rule Expansion

Status

Implemented in OP-055. The minimal SIEM runtime now evaluates 20 deterministic rules over normalized log events.

What Was Implemented

  • Expanded poc/ingest_api/siem_rule_definitions.py from 5 to 20 deterministic rule IDs.
  • Added a stable SIEM rule catalog helper for contract-style checks.
  • Added fixtures that prove the expanded catalog projects security.alert.created into the existing generic alert.created flow.
  • Preserved OP-012 normalized log ingest/search behavior and tenant isolation.

Rule Coverage

The catalog now covers failed login threshold, privilege escalation, service stops, unauthorized access, configuration changes, malware detections, suspicious PowerShell, account lockout, MFA disabled, firewall disabled, endpoint protection disabled, suspicious process execution, possible data exfiltration, impossible travel, new admin user creation, password spray, audit log clearing, brute-force source blocks, suspicious scheduled tasks, and credential dumping indicators.

Validation

make validate-contracts
make typecheck-python
make lint
make test-sqlite
npm --prefix frontend test -- --run
make docs-build

Non-Scope

  • No ML/anomaly detection.
  • No custom SIEM query language.
  • No syslog TLS receiver.
  • No OTel, Fleet, osquery, cloud, or application-log bridge runtime.
  • No ClickHouse, Helm, Terraform, or AWS deployment changes.