PLAYBOOK · 01

Playbook · SIEM

Security analytics on an event stream: auth logs, firewall drops, process executions, DNS queries. XERJ hits this workload at 74× the aggregation speed of Elasticsearch and a 6.8× median p95 across the 16-query SIEM battery — measured 2026-04-14 on 1M events.

What's included

Index schema

$ curl -sX PUT http://localhost:8080/v1/indices/security-events \
    -H 'Content-Type: application/json' \
    -d '{
      "fields": {
        "@timestamp":   "date",
        "host":         "keyword",
        "source_ip":    "ip",
        "dest_ip":      "ip",
        "user":         "keyword",
        "action":       "keyword",
        "result":       "keyword",
        "process":      "keyword",
        "parent":       "keyword",
        "dns_query":    "keyword",
        "message":      "text"
      }
    }'

Ingest

$ cat auth.log | \
    xerj-ingest http://localhost:8080 security-events

Detection 1 · Top source IPs

The canonical SIEM query. XERJ answers in 0.4 ms p95 vs ES 29.8 ms — 74×.

{
  "query": {
    "bool": {
      "filter": [
        { "term":  { "action": "auth" } },
        { "term":  { "result": "fail" } },
        { "range": { "@timestamp": { "gte": "now-24h" } } }
      ]
    }
  },
  "aggs": {
    "top_ips": { "terms": { "field": "source_ip", "size": 20 } }
  },
  "size": 0
}

Detection 2 · Unusual process parent

{
  "query": {
    "bool": {
      "filter": [
        { "term": { "parent": "wininit.exe" } },
        { "terms": { "process": ["powershell.exe", "cmd.exe", "rundll32.exe"] } }
      ]
    }
  },
  "aggs": {
    "by_host": { "terms": { "field": "host", "size": 50 } }
  }
}

Detection 3 · DNS tunneling candidates

Long DNS queries with high entropy — a classic tunneling signal. XERJ's regexp query handles this in the filter context.

{
  "query": {
    "bool": {
      "must":   [ { "regexp": { "dns_query": "[a-zA-Z0-9]{30,}\\..*" } } ],
      "filter": [ { "range": { "@timestamp": { "gte": "now-1h" } } } ]
    }
  },
  "aggs": {
    "by_host": { "terms": { "field": "host", "size": 20 } }
  }
}

Detection 4 · Lateral movement

{
  "query": {
    "bool": {
      "filter": [
        { "terms": { "action": ["ssh", "rdp", "smb"] } },
        { "term":  { "result": "success" } }
      ]
    }
  },
  "aggs": {
    "by_user": {
      "terms": { "field": "user", "size": 20 },
      "aggs": {
        "distinct_hosts": { "cardinality": { "field": "dest_ip" } }
      }
    }
  }
}

Detection 5 · Spike detection via date histogram

{
  "query": { "term": { "action": "auth" } },
  "aggs": {
    "over_time": {
      "date_histogram": { "field": "@timestamp", "fixed_interval": "1m" },
      "aggs": {
        "by_result": { "terms": { "field": "result", "size": 3 } }
      }
    }
  }
}

Dashboard

Open the playground and pick ANOMALY · DETECT — the same queries wired up as click-to-drill panels on live data.

Source · engine/SIEM_BATTLE_2026-04-14_184900_UTC.md · §2 16-query battery