Security

Security Monitoring (SIEM)

LogPulse Security Monitoring turns your existing log estate into a full SIEM. It runs on the same LPQL query language and ClickHouse engine you already use for observability, so there is no separate data store to feed, learn, or pay for. Detections, AI verdicts, and behavioral analytics all converge on a risk-based alerting model that surfaces a small number of high-confidence notables instead of a flood of per-rule alerts.

Private beta

The Security Monitoring (SIEM) features described on this page are currently available to beta customers only and are not yet enabled by default. If you would like access, reach out to our team at [email protected] and we will enable the Security features for your organization.

Overview

The SIEM is AI-evaluated and EU-sovereign by design. Customer log data is stored in the EU (GCP Amsterdam) and never leaves the region for normal operation. AI evaluation runs on Amazon Bedrock in an EU region, so investigations and verdicts stay within European infrastructure.

Because it is built on the same LPQL + ClickHouse engine as the rest of the platform, every detection is just an LPQL query on a schedule, and every alert is something you can click into, pivot from, and re-run interactively. The defining architectural choice is Risk-Based Alerting (RBA): rather than paging on every rule match, detections contribute risk to the entities they touch (user, host, IP). When accumulated risk crosses a threshold, a single notable is opened for that entity.

AI-evaluated

Notables are auto-investigated by an LLM that triages and closes false positives before a human sees them.

EU-sovereign

Log data in GCP Amsterdam; AI via Amazon Bedrock in the EU. No data egress for normal operation.

One engine

Same LPQL + ClickHouse used for observability. Detections are LPQL queries; alerts are pivotable.

Risk-based

Every entity carries one bounded 0–100 risk score that rewards attack breadth and decays over time — not an alert per rule.

Detections & Content Packs

LogPulse ships with 50+ built-in detections written in LPQL. Each detection is a scheduled query that runs on an interval, evaluates recent data, and emits risk events for the entities it matches. Detections are tagged with the relevant MITRE ATT&CK tactics and techniques so coverage can be measured and gaps identified.

Content Packs

Built-in detections are grouped into content packs by domain. You can enable, disable, or tune packs independently so the SIEM only runs detections relevant to the data sources you actually ingest.

Content Pack	Example Detections
Authentication	Brute-force, password spraying, MFA fatigue, disabled-account login
Web	SQL injection patterns, path traversal, suspicious user-agents, web shells
Network	Port scans, beaconing, data exfiltration volume, rare destination ports
DNS	DNS tunneling, DGA-style domains, high-entropy lookups, known-bad resolutions
Cloud / IAM	Root/owner usage, policy changes, new access keys, MFA disabled on admin
Endpoint	Suspicious process lineage, LOLBins, persistence, defense evasion
Email	Mail-forwarding rules, mass external sends, suspicious OAuth grants
Identity threats	Impossible travel, token theft, privilege escalation, dormant-account reactivation

Custom Detections & Sigma Import

Any LPQL query can be saved as a custom detection with its own schedule, severity, risk score, and MITRE tags. If you already maintain detection content in Sigma, paste the Sigma YAML rule into the import dialog and LogPulse transpiles it to an equivalent LPQL detection that you can review and adjust before enabling.

# Custom detection: repeated failed admin logins from one source
auth.signin
| where outcome == "failure" and user.is_admin == true
| stats count() as failures by source.ip, user.name
| where failures >= 10

Single vs. Sequence Detections

Most detections are single-stage: one query, one condition, evaluated on each run. LogPulse also supports sequence (multi-stage) detections that correlate several ordered conditions for the same entity within a time window. This expresses attack chains that no single event reveals.

For example, a sequence can require, for the same user within 15 minutes: a burst of failed logins, followed by a successful login, followed by a privilege-escalation event. Only when all stages occur in order does the sequence fire and emit risk.

# Sequence detection (multi-stage), per user, 15m window
sequence by user.name within 15m
  [ auth.signin where outcome == "failure" ] count >= 5
  [ auth.signin where outcome == "success" ]
  [ iam.role_change where action == "grant" and role.privileged == true ]

Risk-Based Alerting & Notables

Risk-Based Alerting is the core of the SIEM. Instead of firing an alert for every rule match, every signal — a detection match, an AI verdict, or an anomaly — emits a risk event attributed to one or more entities (user, host, IP). Risk accumulates on the entity over time, and only when the entity's risk crosses a threshold is a notable opened.

Effective Risk Score

Every entity carries a single effective risk score from 0 to 100 — the same number you see on the leaderboard, on the notable, and the one promotion is decided on. It is built so that the shape of an entity's activity, not just its volume, drives the score:

Property	What it does
Diminishing returns	The strongest signals count in full; repeats of the same low-level signal count for steadily less, so sheer volume saturates instead of piling up. A host hammered by one repetitive probe does not outrank a real multi-step intrusion.
Attack-breadth boost	Activity that spans several MITRE ATT&CK tactics (stages of an attack) and distinct techniques is boosted — breadth across the kill chain is weighted more heavily than variety within one stage, so genuine intrusions rise above single-signal noise.
Time decay	Each signal decays on a half-life, so stale activity fades and only sustained or recent risk stays high.
Entity criticality	A criticality multiplier weights the score by how important the entity is (for example a domain admin or a production host reaches a notable sooner).
Bounded 0–100	Everything is compressed onto a fixed 0–100 scale, so scores are always comparable across entities and never run off the top.

Promotion is then one threshold on one score: when an entity's effective risk crosses it, a notable is opened. There is one open notable per entity — additional risk events for an entity that already has an open notable are attached to it rather than creating duplicates, which keeps the analyst queue short and contextual. When the score decays back below a lower clear threshold, an automatically-raised notable resolves itself.

Risk Bands

The 0–100 effective score maps onto five severity bands, used consistently across the leaderboard, the notable, and notification severity:

Band	Score	Reading
Critical	90–100	Broad, multi-stage activity on a high-value entity — investigate first.
High	70–89	Strong, corroborated risk; typically where notables promote.
Moderate	40–69	Worth watching; single-stage or still-accumulating activity.
Low	20–39	Minor, isolated signals.
Info	0–19	Background noise; below the level of concern.

Per-Org Tuning

The risk model is tunable per organization so it fits your environment and risk appetite. Configurable parameters include:

Setting	Description
Notable threshold	Effective risk score required to promote a notable; the clear threshold auto-resolves it once risk decays back below.
Decay half-life	How quickly risk decays — shorter favors recency, longer retains history.
Volume sensitivity	How fast repeats of the same signal stop adding risk — higher saturates noisy, repetitive activity sooner.
Tactic & technique diversity boosts	How much each additional MITRE attack stage and technique lifts the score, with a cap so breadth alone cannot run away.
Score saturation	How hard it is to reach the top of the 0–100 scale — the main dial for reserving high scores for the clearest threats.
Criticality multipliers	Per-tier weights (for example ×2 for crown-jewel hosts).

Tip

The scoring constants ship with sensible defaults. Tune the saturation and threshold first against how scores land in your environment; the diversity and volume dials are for fine-grained shaping once the baseline feels right.

Risk Events & Investigation

Every signal that contributes risk is written as a risk event you can inspect, search, and pivot from. Around these sit an analyst dashboard for triage and a full investigation workflow on each notable.

Risk Events Explorer

The explorer is a searchable stream of every risk event across the organization, so an analyst can see exactly what is driving an entity's score. Filter by source engine (detection, sequence, anomaly, UEBA, threat-intel, AI evaluation), by entity, by MITRE tag, by score range, and by time window, then open any event to its underlying data.

Tip

Every risk event and notable is deep-linkable — paste a link into a ticket or a chat and a colleague lands on exactly the same filtered view.

Analyst Dashboard

A "where do I look first" dashboard sits on top of the risk stream, answering triage questions at a glance:

View	Answers
Top risk entities	A leaderboard ranked by effective risk score and band — the entities to investigate first.
MITRE tactic breakdown	Which attack stages are most active across the window.
Event volume timeline	How risk activity trends over time, to spot bursts.
Key indicators	Headline counts: risk events, active entities, tactics in play, top entity risk.

Investigation & Escalation

Each notable is a workspace, not just an alert. Beyond the AI auto-investigation (see Automated Response), analysts work the case directly:

Action	What it does
Live AI status	The notable shows whether its AI investigation is running or complete, and surfaces the verdict, summary, and recommendations once ready.
Notes	An append-only, attributed comment trail for the forensic record of the investigation.
Evidence	Pin contributing risk events onto the notable as a snapshot, so the evidence survives data retention and any later recomputation.
Escalate	Promote a risk event from the explorer into a notable by hand. Analyst-raised notables are owned by a person and are exempt from auto-resolve — only a human closes them.

Threat Intelligence

LogPulse includes a built-in IOC reputation store fed by free, reputable threat-intel feeds: AlienVault OTX, AbuseIPDB, the abuse.ch suite (Feodo Tracker, URLhaus and ThreatFox), and the Spamhaus DROP and ASN-DROP blocklists. The store is used to automatically enrich risk events — when a detection touches an IP that is known-bad, the risk is boosted and the resulting notable is tagged with the threat-intel match, so analysts see the reputation context without leaving the alert.

On top of the feeds, each organization can maintain its own allow/deny watchlists. A deny-list entry forces a known-bad classification (for entities you have confirmed internally), while an allow-list entry suppresses noise from sources you know to be benign (for example, a scanning service you operate).

Note

Some feeds use a free upstream API key (OTX, AbuseIPDB); the abuse.ch and Spamhaus feeds run automatically with no key required. Add any keys in the threat-intel settings to enable automatic feed refresh — a one-time configuration step.

Network & ASN Blocklists

Most reputation feeds list individual indicators. The Spamhaus blocklists work at a coarser, higher-confidence level — whole ranges of internet infrastructure that are leased to or controlled by malicious actors:

Feed	What it flags
DROP	Network blocks (CIDR ranges) that are hijacked or rented by criminals. Any IP falling inside a listed block is treated as known-bad via a fast range match.
ASN-DROP	Entire malicious autonomous systems (network operators). An IP is resolved to its owning ASN, and if that operator is listed the IP inherits the known-bad classification.

Both feed straight into the same enrichment path: a probe from an address inside a DROP block, or hosted by a DROP-listed network operator, boosts the risk on that risk event and tags the notable — so perimeter scanning from known-bad infrastructure surfaces as an attributed, threat-intel-backed notable rather than anonymous firewall noise.

LPQL Enrichment Commands

Two LPQL commands bring enrichment into any query, not just scheduled detections. Use them interactively while hunting, or inside a custom detection.

| threatintel <ipField> (alias | iplookup) looks up the IP in the reputation store and adds reputation fields (verdict, source feed, score):

web.access
| where status >= 400
| threatintel source.ip
| where threat.verdict == "malicious"
| stats count() as hits by source.ip, threat.source, threat.score
| sort hits desc

| iplocation <ipField> resolves an IP to GeoIP attributes — country, city, latitude, longitude, and ASN:

auth.signin
| where outcome == "success"
| iplocation source.ip
| stats count() as logins by user.name, geo.country, geo.asn
| sort logins desc

Note

GeoIP resolution uses MaxMind GeoLite2 and requires a free MaxMind license key for the self-hosted database refresh. Add the key in settings to keep the GeoIP database current; without it, iplocation falls back to whatever database snapshot is present.

Cloud & Identity Connectors

Security telemetry from cloud and identity providers is ingested through built-in connectors and normalized to canonical, CIM/OCSF-aligned data models. Normalization means a detection written against, say, an authentication model works across sources without rewriting field names per vendor.

Connector	Data Ingested
Microsoft Entra ID	Sign-in logs and audit logs (identity events, conditional access, role changes)
Microsoft 365	Office 365 Management Activity (Exchange, SharePoint, Teams, admin activity)
AWS CloudTrail	Management and data-plane API activity across AWS accounts

These join the existing platform connectors — Azure DevOps, GitHub, Railway, and Cloudflare — so application, infrastructure, and security data live side by side in the same engine.

UEBA / Behavioral Analytics

User and Entity Behavior Analytics adds detections that depend on an entity's own history rather than a static rule. Findings flow into the same risk model and open or augment notables, tagged with a behavior:* label so they are easy to filter.

Analytic	What It Detects
Impossible travel	Geo velocity between consecutive sign-ins exceeds plausible travel speed.
First-seen activity	A new country or IP seen for a user for the first time.
Volume spikes	Activity for a user that exceeds a per-user baseline (e.g. download or query volume).

Tip

Because UEBA findings feed risk rather than paging directly, a single weak signal (a first-seen IP) rarely alerts on its own, but combined with other risk on the same user it can tip the entity over the notable threshold.

Automated Response (SOAR)

When a notable is opened, LogPulse runs an AI auto-investigation that gathers context, correlates the contributing risk events, and forms a verdict. Investigations that conclude a notable is benign close it automatically, keeping the analyst queue focused on real incidents.

Response Actions

Beyond investigation, notables can trigger response actions. Every action runs behind a human approval gate — nothing destructive happens automatically.

Action	Behavior
Notify	Send to a channel (email, Slack, webhook, PagerDuty).
Create ticket	Open a ticket in your tracker with the notable context attached.
Block IP	Opt-in per org; requires owner approval before execution.
Disable user	Opt-in per org; requires owner approval before execution.

Warning

Destructive actions (block IP, disable user) are opt-in per organization and require explicit owner approval to run. They are disabled by default — enable them only after configuring who may approve.

Playbooks

Response actions can be composed into reusable playbooks that run when a notable matches their trigger conditions. For example, a brute-force playbook can chain "block the source IP" and "create a ticket" — with the block still gated on owner approval — so a common response is one consistent, auditable workflow rather than a series of manual steps.

MITRE ATT&CK Coverage

Because every detection and AI verdict is tagged with MITRE ATT&CK tactics and techniques, LogPulse renders a coverage heatmap derived from your currently enabled content. The heatmap shows which tactics and techniques are covered, helping you see and close gaps in your detection surface as you enable packs or add custom detections.

Entity 360

Entity 360 is a single unified view of an entity — a user, host, or IP — combining a security lens and an observability lens. The security lens shows accumulated risk, open notables, and IOC reputation; the observability lens shows the services, KPIs, and telemetry already tracked for that entity. The same view is reachable from both the security hub and the observability hub, so an analyst and an SRE arrive at the same full-context page from different directions.

Compliance Reporting

The SIEM produces control-coverage reports that map regulatory controls to the detections and data that evidence them. Supported frameworks include NIS2 (Article 21), DORA (ICT risk management), and ISO 27001. Each report shows which controls are evidenced by active detections and ingested data, and reports can be delivered on a schedule.

Framework	Mapped To
NIS2 (Art. 21)	Risk-management and incident-handling measures evidenced by detections and notables.
DORA (ICT risk)	ICT risk-management and incident-reporting controls.
ISO 27001	Annex A controls evidenced by monitoring, logging, and response content.

For the platform's broader certification status, DPA, sub-processors, and data residency, see the Compliance & Trust page.