Hey community, one of my engineers recently prepared a comparison of OpenSearch vs. Elastic Cloud for SIEM purposes. I'd love to hear your thoughts or experiences! Have you utilized pure OpenSearch as a SIEM for SOC operations for 30+ analysts? We're primarily relying on Splunk and Elastic Cloud and are very happy with both, but I'm curious to learn how OpenSearch stacks up in real-world scenarios. Leaving this matrix for comments https://lnkd.in/dDJgdwAx
Lot's of "No Support" values are actually supported with plugins and automations around the Opensearch: 1. https://opensearch.org/docs/latest/security-analytics/ 2. https://github.com/aws-samples/siem-on-amazon-opensearch-service/tree/main
Nazar Tymoshyk Are you using Cribl?
I have used OpenObserve in my previous company for SIEM purpose as well. https://github.com/openobserve/openobserve O2 stores all the logs in an object storage which was source to ArcticWolf that powered it to take over as MDR base. While observability is the focus, it solves many other security challenges like allowing you to create realtime insights, aggregations and transformations over the ingested data to achieve security objectives.
It's great to see such a thorough comparison being shared. OpenSearch certainly has potential, and real-world experiences can provide valuable insights. How have you found the integration process with your existing tools?
OKTA IDP logs ingestion via API is supported or i'm wrong ?
So you compare free elastic and paid version (SIEM) that add ingestion and aggregation functionality and show that they have differences? Really?
Building world's simplest and most efficient observability platform
4 个月While built for observability logs, you should really check https://github.com/openobserve/openobserve . It does all in the above list and more and much more efficiently.