PPL & Observability SIEM features in OpenSearch
As a Security Analyst,
I want to utilise the Observability plugin & PPL in an efficient manner. Features such as tooltips and autocomplete would help a lot, as well as bug fixes and regular updates.
The syntax is not well nor widely understood, and there are lingering bugs, which for a user are very hard to duplicate across the microcosm of repositories which bundle into the suite.
Observabilitiy & PPL feels like a very promising place for OpenSearch to become more useful to a security operations team, where currently the capabilities are extremely limiting.
While OpenSearch Dashboards, with tenancy and VisBuilder have been used, they are complicated, and the search capabilities limit the ability to work in an effective, visual and fast manner.
Visual aspects are too separate from Search, drill downs are minimal or with a massive time overhead; search is relegated largely to the very basics, for a little more capability they need to be written as an api style query.
Observability & PPL could be a great improvement if it grows, particularly with security team workflows in mind.
Daniel Cross
shared this idea
-
Thanks for raising the comment Daniel. as this is more of a general comment on OpenSearch, I will shelve this.
OpenSearch project is developed with the intention of becoming a not just a best Search tool, but also a general database that is built for performant, resilient, cost effective and scalability. Observability, SIEM as well as many Search capabilities are the three main use cases of OpenSearch and it will definitely get better over time.
