[_8j50]

The bane of any SIEM is data ingestion costs. I need to put every log in it but with cloud, not only do I have to worry about resource costs but also data bases pricing models for the SIEM license. Imagine I need to ingest data from 500K endpoints including 500k users and their web,ip,dns,authentication and endpoint event logs (Sysmon for example). Can I do this for under $6/user ($3M) including support costs? Edit: just a thought here, perhaps onprem agents to summarize logs before shipping to cloud storage might help?

Also, since this seems fairly new, do you have SOAR platform integration already? That's a major selling point these days, I need it to play well with automation.

Lastly,many have tried and failed to compete with Splunk's query language.Does this have a query langauge that can compete? I don't need it to detect threats out of the box, if I need a SIEM then I also need to rapidly change correlation logic and for that I need a good query language which is very rare even with top dollar traditional SIEMs.

[Jedd]

It's Apache licenced, so presumably ingest / transit, compute, and storage costs are whatever you normally pay for them.

[kapilvt]

The source licensing here is a mess, AGPL, commercial, etc. https://github.com/panther-labs/panther/blob/master/LICENSE

My read of the license file, is there seems to be some purposefully introduced license confusion and mixing of proprietary/commercial non oss files into the same repo, which makes it really unclear if this is OSS per OSI definition, if running git log will taint a contributor.

The compiled binaries assets are available under Apache 2.0, which appears to be a marketing tactic to capitalize on the name, while being completely unrelated to the actual source license, aka this is closer to free to use binary. IANAL but afaics most orgs should talk to a lawyer if they want to use this as OSS.

moreover this line in the readme also appears to be purposefully sowing confusion, "Panther is dual-licensed under the AGPLv3 and Apache-2.0 licenses." except they actually appear to redefine the common usage of dual license, to mean that parts of the code base are selectively licensed one or the other.

[Jedd]

This is great insight, thank you.

I'd originally just looked at the LICENCE.txt file in the top level, thinking this was presented as a standalone application suite from a single author / company - so I approached it with certain (perhaps naive) expectations.

[_8j50]

That's just it, I've been at a few fortune 100's and I've never seen siem data pushed into cloud but also, I've seen teams struggle with just vpc network flow logs due to resource /stackdriver costs.