Any Sigmac mapping for product supporting TCP JSON stream

[Tomasuh]

Hi,

We are currently receiving our log as JSON over a TCP stream.

From what I've seen there is no sigmac mapping for a product handling streamed JSON data without writing the log to disk?

I realize this might be slightly off topic to the project but I'm guessing we are not the only one with this use-case and I would appreciate a discussion with possible design-suggestions.

I've found https://github.com/markuskont/go-sigma-rule-engine but it seems to be very early in its development/extent of support for the sigma language.

[Tomasuh]

We probably end up writing a Kafka converter for sigmac.

An alternative path we tried was to create a custom engine in memory but only handling an eps of 500 for around 100 rules over 20 cores are way to slow and we even had to disable free text searches to reach that speed.
Still experimenting on this approach but using Kafka seems like the reasonable choice.