Open Source Security Event
Correlation Engine for Elastic Stack

Dsiem provides OSSIM-style correlation for normalized logs/events stored in Elastic platform, queries threat intelligence and vulnerability information sources, and produces risk-adjusted alarms.

Horizontally Scalable

Runs in standalone or clustered mode with NATS as messaging bus between frontend and backend nodes. Along with Elastic, this makes the entire SIEM platform horizontally scalable.

Alarms Enrichment

Enriches alarms with information from threat intelligence and vulnerability information sources. Built-in support for Moloch Wise and Nessus CSV exports. Other sources can be integrated easily through plugins.

Modern Architecture

A cloud-native, 12 factor app, that is loosely-coupled and designed to be composable with other infrastructure platforms. It is even possible to use Dsiem as an OSSIM-style correlation engine for non-Elastic stack.

Dsiem uses auto-generated Logstash configs to tap into existing log ingestion pipelines, and creates a normalized version of those logs to correlate with. This means quick log onboarding process, and no modification required to preexisting Elasticsearch indices and Kibana visualizations.

Visualize Security Alarms

Both normalized events and alarms are stored in Elasticsearch, so it is seamless to use Kibana and all of its powerful features to slice and dice through the data during analysis.

Simple Alarm Management

In addition to Kibana, a simple web interface is provided for managing the generated alarms statuses (e.g. Open, Closed, In-Progress) and tags (e.g. False Positive, Valid Threat). Those status and tag classifications are adjustable so it is easy to adopt a custom analysis workflow.

Why Dsiem?

Dsiem equips security team with a correlation-rule based analysis capability to easily detect known threats within a large volume of logs, all at the same time maintaining their ability to perform manual threat hunting using the Elastic stack utilities.