[ThaDood]

Neat! Another FOSS SOAR platform. Quick read through built-in integrations. Any support for Elastic both SIEM and EDR?

And do you all have like an MSP program? Assuming not, but always need to ask.

Also forgot to ask, any chance of moving some of the develop/feedback off of Discord? I understand a number of projects are making this choice now, but I find whenever I need to search Discord for information, I'm not the most effective at it.

[neochris]

We plan to add integrations and pre-built workflows in the coming weeks. Would love your input in our Discord channel! https://discord.gg/n3GF4qxFU8

We're building a motley crew of blue teamers, security engineers, and data folks.

[windexh8er]

Great start! I was on the SE side of Phantom pre-Splunk. One thing I see a lot of traction in over the last year is data warehouses like Databricks & Snowflake and dumping OCSF data into those. I think an area where you can outshine is by offering something like Clickhouse as a data lake alternative along with OCSF as a schema for a bulk of your builtin integrations.

If you want to chat regarding feel free to reach out.

[mavam]

We see this trend as well. And AWS Security Lake goes exactly there.

Right now, we‘re working on OCSF normalization in our pipelines to drop structured security telemetry in the right format where you need it. Like a security ETL layer.

We considered ClickHouse and DuckDB but struggled with making the execution engine multi-schema, e.g., more jq-like but still on top of data frames. So we started with a custom catalog and engine on top of Parquet and Feather that we will later factor into a plugin to transpile our query language (TQL) to SQL. The custom language because security people are not data engineers.

https://docs.tenzir.com

[lmeyerov]

I'd actually love to chat from an adjacent/overlapping area for what we're doing in louie.ai in llm-powered investigation & automation. (We're less interested in yet-another-phantom/tines/xsoar, more interested in where security is going next.) Any good way to reach?

[neochris]

As for the MSP program, absolutely 100% yes. Would love to hear your use-case / pain points regarding existing SOARs (both oss and close sourced). Shuffle is the OG of FOSS SOARs, but the momentum behind that project seems to have stalled...