[windexh8er]

Great start! I was on the SE side of Phantom pre-Splunk. One thing I see a lot of traction in over the last year is data warehouses like Databricks & Snowflake and dumping OCSF data into those. I think an area where you can outshine is by offering something like Clickhouse as a data lake alternative along with OCSF as a schema for a bulk of your builtin integrations.

If you want to chat regarding feel free to reach out.

[mavam]

We see this trend as well. And AWS Security Lake goes exactly there.

Right now, we‘re working on OCSF normalization in our pipelines to drop structured security telemetry in the right format where you need it. Like a security ETL layer.

We considered ClickHouse and DuckDB but struggled with making the execution engine multi-schema, e.g., more jq-like but still on top of data frames. So we started with a custom catalog and engine on top of Parquet and Feather that we will later factor into a plugin to transpile our query language (TQL) to SQL. The custom language because security people are not data engineers.

https://docs.tenzir.com

[lmeyerov]

I'd actually love to chat from an adjacent/overlapping area for what we're doing in louie.ai in llm-powered investigation & automation. (We're less interested in yet-another-phantom/tines/xsoar, more interested in where security is going next.) Any good way to reach?