Optimize SIEM With Confluent

The examples in this repository give you hands-on experience optimizing Security Information and Event Management (SIEM) solutions using Confluent. Each tutorial illustrates how to use Confluent to improve the response to a common cybersecurity scenario.

Hands-On in Your Browser

This demo runs best using Gitpod. Gitpod uses your existing git service account (GitHub, Gitlab, or BitBucket) for authentication. See the gitpod tips to get acquainted with gitpod.

Launch a workspace to get hands-on with the labs:

• https://gitpod.io/#https://github.com/confluentinc/demo-siem-optimization

If you want to launch a workspace that automatically submits all connectors, use this link instead:

• https://gitpod.io/#SUBMIT_CONNECTORS=true/https://github.com/confluentinc/demo-siem-optimization

If you want to run locally or in a different environment, see the appendix.

Hands-On Lab Instructions

Run through entire end-to-end demo to get the big picture. Zoom in on the individual labs to go into more detail.

0. End-to-End Demo (long)
1. Introduction
2. Analyze Syslog Data in Real Time with ksqlDB
3. Calculate Hourly Bandwidth Usage By Host with ksqlDB
4. Match Hostnames in a Watchlist Against Streaming DNS Data
5. Filter SSL Transactions and Enrich with Geospatial Data

References

Demo Video

• https://www.confluent.io/resources/video/how-to-optimize-your-siem-platforms-with-confluent/

Executive Brief

• https://assets.confluent.io/m/1eb84018eaad8291/

Cyber Defense Whitepaper

• https://assets.confluent.io/m/34ffc6b59ead86e5/

Confluent Sigma

• https://github.com/confluentinc/cyber/tree/master/confluent-sigma