Your questions about Prelude SIEM.

You will find below some questions that are regularly asked about Prelude SIEM.

Why not use the open-source version PRELUDE OSS?

Prelude OSS uses the basic principles of Prelude SIEM around the IDMEF format. Part of the code is common to both software. But Prelude OSS is limited in performance and functionality compared to Prelude SIEM.

If you are in an uncritical environment or if you only want to test Prelude SIEM you can deploy Prelude OSS, but keep in mind that it is much less powerful than Prelude SIEM.

Prelude OSS can also be a first step that you can enrich later on via our new "OSS Plugins" offer or directly by migrating from Prelude OSS to Prelude SIEM using our migration tools.

Why is Prelude SIEM "100 SIEM"?

A SIEM is composed of two distinct functionalities: a log management module and a real-time detection module. Beyond the definition, this distinction is essential for a simple and effective safety supervision.

We may be tempted to settle for an "improved" log manager, especially since it always seems easier to use during installation, but this will require your teams to have more expertise and often more time to complete the work than our real-time detection module.

Time and expertise are the two most expensive elements in operating a SIEM, much more expensive than software or the cost of installation and configuration.

We therefore insist on our completeness because it is essential to rationalize your operating costs.



Why Prelude SIEM does not appear in the Gartner Magic Quadrant?

Every year, Gartner publishes a ranking of the main SIEMs in the US market in the "Magic Quadrant". Based on customer testimonials, but without testing the products, Gartner teams define benchmarks and assign ratings to each company that requested them to participate in this study.

Given our product positioning as an alternative to the "big four" of the US market, our differentiators (modularity, adaptability, security, standard, etc.) that do not appear in the Gartner grid, and although we were contacted by the latter, we have not yet decided to participate in this ranking.

What are the alert formats used by other SIEMs?

Most of the so-called "traditional" SIEMs have all defined their own proprietary alert format, often based on an extension of the syslog format with a set of key-values. This is the case with ArcSight with the CEF format or QRadar with the LEEF format.

Other tools, oriented towards log management, do not use a particular format even if in a way they also enrich the syslog format.

IDMEF being a very rich and structured format, it should be noted that it is globally compatible with all these competing formats. We propose several rules for transforming proprietary formats into IDMEF that allow Prelude SIEM to "hypervise" other SIEMs.

How will the use of the IDMEF standard improve my SIEM deployment?

Prelude SIEM has been implementing the IDMEF standard natively since its inception. If in IT it is always preferable in the medium and long term to choose open standards, this is not the only reason to convince you of the interest of the IDMEF format.

IDMEF is not only a standard, but it is by far the most suitable format for managing XXX intrusion detection. Proprietary alternatives (ArcSight CEF, QRadar LEEF, etc.) are simple extensions of the syslog format which by definition is a log format. The IDMEF format was defined from the beginning to manage intrusion detection events. This format was defined by a working group at the IETF that has been working on the subject for several years. Within this working group there are actors such as IBM, Boeing, Nokia, Cisco, ISS but also MIT and Mitre and already at the time the Prelude team.

During the first phase of the SECEF (SECurity Exchange Format) project, IDMEF was compared to its main competitors including CEF and LEEF formats. The result is irrevocable. The IDMEF format is much richer than its competitors and better structured.

For Prelude SIEM users, this means that they can take processing automation further (correlation, filtering, etc.). It also provides operators with more information and context to make quick decisions. All these advantages improve the exploitation of the product while reducing costs.

How will the use of the IDMEF standard improve my SIEM deployment?

The main function of this standard is the description of CTIs in order to be able to share, store and analyze them. STIX is not a competitor of IDMEF. STIX is a complementary format for managing the CTI. Prelude SIEM is compatible with this format in its CTI module.

If you have not found the answer to your questions, do not hesitate to contact us!