SecureWatch SIEM Platform DocumentationΒΆ
Welcome to the SecureWatch SIEM Platform documentation! SecureWatch is a comprehensive, enterprise-grade Security Information and Event Management (SIEM) platform built with modern microservices architecture and designed for scalability, performance, and ease of use.
What is SecureWatch?ΒΆ
SecureWatch provides real-time security monitoring, threat detection, and incident response capabilities for organizations of all sizes. Built on a foundation of proven technologies and security best practices, it offers:
Universal Data Ingestion - Collect logs from any source via syslog, HTTP Event Collector (HEC), agents, and file uploads
Real-time Analysis - Powered by KQL (Kusto Query Language) for advanced log analysis and threat hunting
Automated Correlation - Built-in correlation engine with MITRE ATT&CK framework integration
Enterprise Security - Multi-tenancy, RBAC, OAuth, MFA, and comprehensive audit trails
Modern Architecture - Cloud-native microservices designed for horizontal scaling
Version 2.1.0 - Latest Release (June 2025)
This documentation covers SecureWatch v2.1.0, featuring major architecture consolidation (95,000+ lines of duplicate code removed), enhanced performance with EventsTable virtualization, and streamlined 8-service architecture. See SecureWatch SIEM Platform - Changelog for complete release notes.
Quick StartΒΆ
Get SecureWatch running in minutes with our comprehensive guides:
Get up and running with SecureWatch in under 10 minutes using our streamlined installation process.
Production-ready deployment guide with HA configuration, security hardening, and monitoring.
Learn how to connect your log sources and start collecting security data immediately.
Master the power of KQL for advanced threat hunting and security analysis.
Architecture OverviewΒΆ
SecureWatch v2.1.0 features a streamlined microservices architecture with 8 core services:
graph TB subgraph "Data Ingestion Layer" A[Syslog] --> D[Log Ingestion Service<br/>Port 4002] B[HEC API] --> E[HEC Service<br/>Port 8888] C[Agent] --> D F[File Upload] --> D end subgraph "Core Processing Layer (v2.1.0)" D --> G[Search API<br/>Port 4004] E --> G G --> H[Correlation Engine<br/>Port 4005] G --> I[Analytics Engine<br/>Port 4009<br/><small>Consolidated APIs</small>] G --> J[Query Processor<br/>Port 4008] end subgraph "Security & Integration" K[Auth Service<br/>Port 4006] --> L[Frontend<br/>Port 4000<br/><small>Enterprise Next.js</small>] M[MCP Marketplace<br/>Port 4010] --> L end subgraph "Data Storage" N[(TimescaleDB<br/>Continuous Aggregates)] O[(Redis<br/>Caching & Jobs)] P[(OpenSearch 3.0<br/>Full-text Search)] end G --> N H --> N I --> N J --> O L --> G L --> IKey FeaturesΒΆ
Process millions of events per second with TimescaleDB optimization and intelligent caching
KQL-powered search engine with correlation rules, threat intelligence, and MITRE ATT&CK integration
Multi-tenancy, RBAC, OAuth, MFA, audit trails, and comprehensive compliance frameworks
Kubernetes-ready, horizontally scalable microservices with Docker containerization
Interactive dashboards, heatmaps, network graphs, geolocation maps, and custom widgets
Syslog, HEC, agents, file uploads - collect data from any source in any format
Community & SupportΒΆ
Found a bug? Have a feature request? Open an issue on GitHub.
Connect with the community, share ideas, and get help from other users.
Quick LinksΒΆ
π Project Homepage
π¦ Latest Release
π Change Log
βοΈ Configuration Guide
π― Performance Tuning
SecureWatch SIEM Platform - Enterprise security monitoring made simple.