SIEM Rule Engine

Real-Time Security Events, Compliance Built In

YAML-based detection rules with built-in compliance mappings. Events stream through NATS, match against your rules, and fire alerts to any destination — all in real time.

How the SIEM Works

A lightweight, Kubernetes-native SIEM that processes security events through a real-time pipeline with compliance-aware rules.

YAML-Based Rules

Define detection rules in simple YAML. Each rule specifies conditions, severity, NATS subjects to listen on, and compliance framework mappings. Version-control your entire rule set alongside your infrastructure.

NATS Event Streaming

All security events flow through NATS, providing a unified, high-throughput message bus. Scanner results, system logs, and Kubernetes events converge into a single real-time pipeline.

Real-Time Processing

Events are evaluated against rules as they arrive. No batch delays. Alerts fire within seconds of detection, so your team can respond before an incident escalates.

Flexible Alert Routing

Route alerts to Slack, email, webhooks, PagerDuty, or any HTTP endpoint. Each rule can have its own destination, so the right team gets the right alert.

Vector.dev Pipeline

Vector.dev handles log ingestion, transformation, and routing. Parse, filter, and enrich events before they reach the rule engine or your storage backend.

Elasticsearch Storage

All events and alerts are stored in Elasticsearch for powerful querying, historical analysis, and integration with Kibana dashboards you already know.

Compliance Frameworks

Every rule maps to one or more compliance frameworks. Know exactly which standards are covered and where gaps remain.

PCI-DSS

Payment Card Industry Data Security Standard

GDPR

General Data Protection Regulation

HIPAA

Health Insurance Portability and Accountability Act

NIST 800-53

Security and Privacy Controls for Information Systems

MITRE ATT&CK

Adversarial Tactics, Techniques, and Common Knowledge

Simple Rule Definition

Rules are plain YAML. Define what to detect, how severe it is, and which compliance frameworks it maps to.

name: open-port-detected
description: Alert on newly discovered open ports
severity: medium
nats_subject: scanner.nmap.results
condition:
  field: open_ports
  operator: gt
  value: 0
compliance:
  pci_dss: ["2.2.2", "6.2"]
  nist_800_53: ["CM-7", "RA-5"]
actions:
  - type: alert
    destination: slack-security
  - type: store
    destination: elasticsearch

Security events, your way

Samma provides the data pipeline and rule engine. Visualize results in Grafana, Kibana, or any tool your team already uses.