Skip to main content
SANDWORMSECURITY

Sandworm SIEM

Security information and event management with real-time correlation.

What is Sandworm SIEM?

Sandworm SIEM is a Security Information and Event Management (SIEM) platform with integrated User and Entity Behavior Analytics (UEBA). It normalises log data from across your environment to OCSF, correlates events with declarative rules, and surfaces anomalous user behaviour using federated baselines. It is designed for detection engineers and SOC analysts who need a single query and alerting surface across all log sources.

  • All events are normalised to OCSF before storage — raw payloads are retained for forensics.
  • UEBA baselines are computed using federated aggregation across your peer tenant cohort with differential-privacy guarantees.
  • Every alert is mapped to a MITRE ATT&CK technique and tactic automatically.

Ingest your first log source

Sandworm SIEM accepts log data in OCSF format via syslog-over-TLS, HTTP ingest endpoints, and native connectors for popular platforms. Start by adding a connector in Settings → Connectors.

  • Syslog (TLS 1.2+): point your SIEM forwarder or rsyslog to the ingest address on port 6514.
  • HTTP ingest: POST JSON arrays in OCSF class format to the ingest endpoint with your API token.
  • Native connectors: Microsoft Defender, CrowdStrike Falcon, Okta System Log, AWS CloudTrail, and others are available as one-click connectors.
  • All incoming events are normalised to OCSF before storage — raw payloads are retained for forensics.
bash
sandworm shai-hulud ingest < events.ocsf.json
Sandworm never writes to your environment. All integrations use the minimum read-only permissions required.

Key concepts

Sandworm SIEM provides SIEM + UEBA capabilities. Correlation rules fire when event patterns match; UEBA baselines model normal behaviour and surface anomalies.

  • Correlation rules: YAML/declarative rules that match event sequences across one or more log sources.
  • UEBA: per-user and per-entity behavioural models using federated baselines — deviations generate scored anomalies.
  • ATT&CK mapping: every alert is tagged to the relevant MITRE ATT&CK technique and tactic.
  • Threat hunting: ad-hoc OCSF query interface with timeline and pivot support.
  • Retention: hot tier (configurable) for fast search; cold tier for compliance archival.

Writing your first correlation rule

Navigate to Sandworm SIEM → Rules → New Rule. Paste a YAML rule body and use the Live Preview panel to test it against recent events before saving. Rules are evaluated in real time as events arrive.

  • Use the rule template library to start from common detection patterns (brute-force, impossible-travel, lateral-movement).
  • Set a severity level and optional ATT&CK technique tag before saving.
  • Alerts flow to the Truthsayer Inbox if the rule targets identity events, or to the Elm case queue if you configure an auto-open playbook.
  1. 1
    Open the rule editor.

    Navigate to Sandworm SIEM → Rules → New Rule and select a template from the library, or start from blank YAML.

  2. 2
    Test with Live Preview.

    Click "Preview" to run the rule against the last 24 hours of events. The panel shows matching events and estimated alert rate.

  3. 3
    Save and activate.

    Set severity and ATT&CK technique, then click Save and Activate. The rule begins evaluating against live event streams immediately.

Integrations

Sandworm SIEM connects to a broad range of log sources via native connectors and accepts OCSF-normalised events from any source that can POST JSON or forward syslog.

  • Identity: Okta, Microsoft Entra ID, Google Workspace, Ping Identity.
  • Endpoint: CrowdStrike Falcon, Microsoft Defender for Endpoint, Sandworm EDR (native).
  • Cloud: AWS CloudTrail, Azure Activity Log, GCP Audit Logs, CloudGuard finding events.
  • Network: firewall and VPN logs via syslog-TLS; Stillsuit traffic events (native).
  • Elm (SOAR): correlation rule alerts can auto-create Elm cases with a configurable severity threshold.
  • Sandworm BAS: simulation technique execution events are forwarded to Sandworm SIEM to verify detection coverage.

API and CLI

Sandworm SIEM exposes ingest and query capabilities via the sandworm CLI and the platform REST API.

  • `sandworm shai-hulud rules list` — list active correlation rules.
  • `sandworm shai-hulud alerts list --since 24h` — fetch recent alerts.
  • `sandworm shai-hulud ingest` — pipe OCSF JSON from stdin to the ingest endpoint.
  • REST API: see the OpenAPI spec at /api/shai-hulud/openapi.json on your deployment.
bash
sandworm shai-hulud alerts list --since 24h --format table
Book a demo← Back to Sandworm SIEM
Sandworm SIEM Docs | Sandworm Security