VN-08 · SIEM Log Ingest & Search

Status: Delivered (minimal). Full query language, ML/anomaly detection, and broad correlation are deferred. Roles needed: Operator (or tenant admin)

What the client asked for

"Minimal SIEM: log ingest, event search, deterministic correlation rules."

What this proves

A tenant can register log sources, ingest logs into normalized storage, search them, and have deterministic rules raise alerts — which then feed the triage and ticketing flow (VN-07).

How it works (at a glance)

Where to look

Swagger UI at /api/docs (the log-source, ingest, and search APIs)
Portal: Alerts, then Compliance Evidence / the auditor view (downstream)

Validate via Swagger "Try it out" + portal (hybrid)

This is the cross-pillar journey: ingest a log through the real API, then watch it become an unauthorized-device alert with an evidence trail in the portal. The only manual part is the transport — a Phase-2 collector would call the same endpoint. Open /api/docs, click Authorize, paste an operator token.

#	Action (Swagger `/api/docs`)	What you should see
1	`POST /api/v1/log-sources` with `{"source_type":"application","collector_id":"col-1","site_id":"site-1","display_name":"SOC app logs","tenant_identity_mode":"service_account","retention_class":"hot"}`	`200` with a `source_id`
2	`POST /api/v1/logs/ingest` with `{"events":[{"log_source_id":"<source_id>","message":"Accepted password for root from 203.0.113.7","category":"authentication","severity":"warning","structured_fields":{"event.action":"login","source.ip":"203.0.113.7"},"idempotency_key":"vn08-1"}]}`	`200`; the event is normalized + stored
3	`GET /api/v1/logs/search?q=Accepted&limit=20`	The normalized event is returned (real search; no fabricated query language)
4	In the portal, open `Alerts`	A critical "Unauthorized device detected" alert for `203.0.113.7` — the SIEM→rogue bridge fired on the unknown source host
5	Follow the alert to `Compliance Evidence` / the auditor view	The alert links to an evidence record and a correlation/audit trail
6	Confirm scope	Only your tenant's sources, events, and alerts are visible

Contract & tests: ADR-0013 and the /api/v1/logs/* paths in the OpenAPI deliverable; tests/test_siem_runtime.py (ingest/search/rules + the rogue-device bridge).

Pass / fail checklist

Tenant log sources are listed
Normalized search returns matching events
A deterministic rule produces a real alert
The alert links back to its originating event/correlation
No fabricated results or unsupported query controls are shown
Log sources and events are scoped to the owning tenant

Intentionally not in Phase 1

Full SIEM query language, machine-learning anomaly detection, broad correlation, and a syslog TLS receiver. Phase 1 delivers normalized ingest, search, and a deterministic rule set.

Evidence to capture

Screenshot of a normalized search result.
Screenshot of an alert produced by a rule, linked to its event.

What the client asked for​

What this proves​

How it works (at a glance)​

Where to look​

Validate via Swagger "Try it out" + portal (hybrid)​

Pass / fail checklist​

Intentionally not in Phase 1​

Evidence to capture​