PLAYBOOK · 01
Playbook · SIEM
Security analytics on an event stream: auth logs, firewall drops, process executions, DNS queries. XERJ hits this workload at 74× the aggregation speed of Elasticsearch and a 6.8× median p95 across the 16-query SIEM battery — measured 2026-04-14 on 1M events.
What's included
- Index schema for security events.
- Ingest command for a common log shape.
- Five core detection queries: top source IPs, auth failures, unusual process trees, DNS tunneling candidates, cross-host lateral movement.
- Dashboard in the XERJ playground that renders all of the above.
Index schema
$ curl -sX PUT http://localhost:8080/v1/indices/security-events \
-H 'Content-Type: application/json' \
-d '{
"fields": {
"@timestamp": "date",
"host": "keyword",
"source_ip": "ip",
"dest_ip": "ip",
"user": "keyword",
"action": "keyword",
"result": "keyword",
"process": "keyword",
"parent": "keyword",
"dns_query": "keyword",
"message": "text"
}
}'
Ingest
$ cat auth.log | \
xerj-ingest http://localhost:8080 security-events
Detection 1 · Top source IPs
The canonical SIEM query. XERJ answers in 0.4 ms p95 vs ES 29.8 ms — 74×.
{
"query": {
"bool": {
"filter": [
{ "term": { "action": "auth" } },
{ "term": { "result": "fail" } },
{ "range": { "@timestamp": { "gte": "now-24h" } } }
]
}
},
"aggs": {
"top_ips": { "terms": { "field": "source_ip", "size": 20 } }
},
"size": 0
}
Detection 2 · Unusual process parent
{
"query": {
"bool": {
"filter": [
{ "term": { "parent": "wininit.exe" } },
{ "terms": { "process": ["powershell.exe", "cmd.exe", "rundll32.exe"] } }
]
}
},
"aggs": {
"by_host": { "terms": { "field": "host", "size": 50 } }
}
}
Detection 3 · DNS tunneling candidates
Long DNS queries with high entropy — a classic tunneling signal. XERJ's regexp query handles this in the filter context.
{
"query": {
"bool": {
"must": [ { "regexp": { "dns_query": "[a-zA-Z0-9]{30,}\\..*" } } ],
"filter": [ { "range": { "@timestamp": { "gte": "now-1h" } } } ]
}
},
"aggs": {
"by_host": { "terms": { "field": "host", "size": 20 } }
}
}
Detection 4 · Lateral movement
{
"query": {
"bool": {
"filter": [
{ "terms": { "action": ["ssh", "rdp", "smb"] } },
{ "term": { "result": "success" } }
]
}
},
"aggs": {
"by_user": {
"terms": { "field": "user", "size": 20 },
"aggs": {
"distinct_hosts": { "cardinality": { "field": "dest_ip" } }
}
}
}
}
Detection 5 · Spike detection via date histogram
{
"query": { "term": { "action": "auth" } },
"aggs": {
"over_time": {
"date_histogram": { "field": "@timestamp", "fixed_interval": "1m" },
"aggs": {
"by_result": { "terms": { "field": "result", "size": 3 } }
}
}
}
}
Dashboard
Open the playground and pick ANOMALY · DETECT — the same queries wired up as click-to-drill panels on live data.
Source · engine/SIEM_BATTLE_2026-04-14_184900_UTC.md · §2 16-query battery
◀ PREVTroubleshooting
NEXT ▶Log analytics