Elasticsearch supercharged

Siren supercharges Elasticsearch with big data joins, remote data virtualization and true link analysis.
A gamechanger for Cyber, Log analysis and much much more.

Augmented Search Engine capabilities for Elasticsearch

Get way more from Elasticsearch

The Siren platform extends core ELK capabilities with in-cluster distributed big data joins, true knowledge graph support (with link analysis), data virtualization of JDBC datasources and much more.

Out of the box, critical capabilities for scenarios including:

  • Cybersecurity and operational log monitoring
  • Transaction analysis, risk and fraud detection
  • Intelligence and law enforcement
  • Advanced data search and discovery

and more.

The “Federate” Elasticsearch plug-in

Supercharging new or existing clusters is just a plug-in away

The Siren relational and federation technology comes packaged in the Siren Federate plugin for Elasticsearch. With Federate patent pending technologies, vertical and horizontal scaling is easily achieved in Siren without impacting the performance of standard Elasticsearch operations.

On top of that, Federate adds “Data Federation” where remote JDBC datasources are virtualized and exposed as if they were local indexes (with joins pushed down to the native sources).

Learn more about Federate and see the benchmarks in our blog post

Meet “Investigative Intelligence”

Siren’s frontend supercharges the native Kibana UI with “Investigative Intelligence” superpowers, including:

  • Relational data navigation and correlation at scale, powered by distributed in-cluster joins.
  • Interactive visualizations beyond Elasticsearch: visualize Elasticsearch data side by side with live data from JDBC sources including RDBMS and more.
  • True record-to-record link analysis across backends, with map, timeline, grouping, and advanced scripting for graph visualizations.

What can it do for Cyber? Watch it in action on cyber security logs

Join the dots at scale, the smart way

Design the datamodel with the built in editor and tie Elasticsearch and remote indexes together

In Siren, Elasticsearch indexes and remote federated indexes are tied together by a visual relational datamodel. Typically, this can be done in 3 simple steps:

  1. Connect to your Elasticsearch indexes as usual (or to remote indexes via JDBC)
  2. Build the datamodel specifying cross-table primary/foreign relations, or shared identifiers (e.g. IPs, Hashes, UserIDs)
  3. Done! The datamodel now powers the UI with relational cross-dashboard drilldowns and record-to-record link analysis.

How does it compare?

Side by side comparison of the open source Elastic stack (ELKB) and the Siren platform

Apache licensed Elasticsearch
Free
Siren Platform
Free or Paid
Installation
Can be installed standalone
Compatible with Elastic subscriptions (formerly X-pack)

Siren can be installed on top of Elasticsearch clusters in which free or paid Elastic Subscription packages (formerly X-Pack) have been installed.
Among the features that can typically be added for free are:

  • Extra data collection modules.
  • Infrastructure and log UI.
  • SQL CLI.
  • Data rollups/Frozen indexes.
  • Kibana/Canvas.

Please refer to Elastic.co for details

Compatible with Opendistro for Elasticsearch

Siren installed on Elasticsearch cluster which include components from the AWS backed Opendistro for Elasticsearch. Useful features that can be added in this way include:

  • Cluster Monitoring
  • Basic SQL
Backend (Elasticsearch + Siren Federate plugin)
Classic Elasticsearch core capabilities
  • Query language and scoring
  • Typeahead, highlighting, and spell-correction
  • Aggregations
  • Indexing & search – text, metrics, geo
  • Automatic data rebalancing
Clustering & high availability
Cross-index big join capabilities
Siren enhances Elasticsearch clusters with big data, distributed cross-index join capabilities.
When indexes are “virtualized” the joins are pushed to the native datasources. Cross-backend joins are performed in memory.
Remote JDBC indexes as virtual Elasticsearch indexes

Siren “Virtual Indexes” look and behave like Elasticsearch indexes for most operations, but translate and forward queries directly to the remote datasources.
Currently supported backends (check the docs for the latest updates):

  • BigQuery
  • Denodo
  • Dremio
  • Impala
  • MySQL
  • Microsoft SQL Server
  • Neo4j
  • Oracle
  • PostgreSQL
  • Presto
  • SAP ASE
  • Spark SQL
“Reflection” of remote data in the cluster

Reflections are optional, locally materialized Elasticsearch tables which are kept in sync with the content of the remote datasources. Activating datasource reflection lowers the load on the remote datasources for intense analytics, increases the performance and scalability for local users and increases the search and analytics capabilities (e.g. wordclouds and phonetic search and high quality ranking become available on reflected indexes)

  • Easily go from virtualized index to “reflection index” using our wizard.
  • Reflections are periodically refreshed.
Easy alerting for business users
  • One click alerts can be activated directly from the dashboards.
  • Customized alerts can be created as deployable scripts.
Advanced Alert creation environment

basic, no enterprise support via Opendistro

advanced, supported by Siren
Advanced Siren only features include

  • High availability, scalable alerting.
  • Ability to generate alerts from large scale index joins
  • Alerting on data that resides in different backends (via Siren virtualization)
Security

via Opendistro plugin, no enterprise support

enterprise support
While Siren security capabilities are identical to those of Opendistro, Siren provides enterprise support on this part.
Features:

  • Active Directory
  • LDAP
  • Kerberos / SPNEGO
  • JSON web token authentication
  • SAML
  • OpenID / JWKS
  • Custom authenticators
  • REST management API
  • Document-level security
  • Field-level security
  • Audit Logging
  • Configuration GUI
  • Read history audit logging
  • Write history audit logging
  • Field anonymization
  • Immutable indices
  • Event routing
  • Elasticsearch installation monitoring
  • Search Guard configuration monitoring
Frontend (Siren Investigate)
Semantic/Relational datamodel
Auto cross-index relation discovery
Relational navigation across dashboards (“Set to Set” / relational drilldowns)
Autogenerated dashboards and autogenerated widgets
Dashboards for “360 degree entity/set views” (dashboard specific relations across widgets)
Live JDBC data can be used in dashboards exactly like Elasticsearch data (no ETL)
Dashboards/Folder/Space navigator sidebar driven UI
Knowledge Graph explorer / Link analysis
Filters can be combined in OR with multiple clicks
Investigate can live together with Kibana
Investigate not available
Multi layer map component. Link analysis on Map
Big Data, UI driven CSV import/export
PDF, PNG Exports
Machine learning and Data discovery
Time series anomaly detection
Auto discovery dashboard creation
Visual high dimensionality correlation explorer
Text cluster discovery capabilities
Data ingestion and processing, services
Scheduled data materialization for virtualized datasources, enrichments (Ingestion)
Data fingerprinting, detection of relationships and sensible /known data types
Search and alert
Search engine mode dashboard, support for custom result templates, support for NLP annotated text
Scriptable “types” of alerts on new search results, business user friendly
Support for molecular search
Document similarity search
Compatibility and extensibility
License to customize/modify source code of the commercial offering
(*)
Iframe embedding friendly
Scriptable operations
Record Data Visualization Templates for result tables


Ready to kick-start your project?

Get in touch with one of our experts and let us show you how we can leverage your datasets to unearth powerful insights