SIEMplyfier Technical Manual
1. Architecture & Philosophy
SIEMplyfier is designed to manage the entire lifecycle of a SIEM use case, from ideation and AI-driven generation to implementation and maintenance. It acts as a centralized "source of truth" for detection logic, reducing complexity and improving collaboration between security teams.
Frontend: Next.js, React, TypeScript, ShadCN UI, Tailwind CSS.
Backend & Data: Firebase (Firestore) as a NoSQL database for use case storage.
AI Orchestration: Google's Genkit SDK to interact with Gemini AI models for all generative tasks.
2. Page Functionalities
3. Anatomy of a Use Case
The core data object in SIEMplyfier is the `UseCase`. It is stored as a document in the Firestore collection `use_cases_library`. Below is a breakdown of its key fields.
Key Data Fields
- useCaseName, industryVertical, useCaseType: Basic identification and categorization fields.
- technicalDescription, securityObjective, detectionLogic: The "what", "why", and "how" of the detection logic in plain language.
- complianceFrameworks, mitreAttackTechniques: High-level mapping to industry standards.
- specificComplianceMappings: A detailed array of objects for granular compliance evidence.
- pseudocode: A platform-agnostic, simplified version of the detection query.
- asipCode: The "AIUKEN SECURITY INTELLIGENCE PLATFORM" block. A detailed, five-step DSL-like representation of the entire detection and response logic, designed for clarity and easy translation. It includes steps for Data Source Definition, Filtering, Enrichment, Correlation, and Alerting. This is a critical field generated by the AI.
- socDeploymentGuide, soarPlaybook: Practical implementation and response guides.
- effectivenessScore, analystFeedback, etc.: Fields for tracking the use case's performance and lifecycle over time.
4. The AI Engine: Genkit Flows
All AI-powered features are driven by server-side Genkit flows. These flows define the prompts, tools, and structured outputs (using Zod schemas) that are sent to the Google Gemini models.
5. Practical Implementation Guide
6. Best Practices & Pitfalls
A high volume of FPs leads to alert fatigue. Invest heavily in tuning. Maintain a well-documented and regularly reviewed exception/whitelist process.
The SOC team must understand what each alert means and how to respond. Playbooks should be clear, actionable, and regularly tested.
Complex rules can degrade SIEM performance. Optimize queries, use lookup tables, and test rule performance before full production deployment.
Treat use cases as living entities that require ongoing review, tuning, and updates to remain effective.
Integrate threat intelligence into your development and review process. Map use cases to frameworks like MITRE ATT&CK®.
Regularly report on key metrics to communicate the value and effectiveness of your SIEM use case program to management.