CyberScan
Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.
Discover CyberScan →
Cyber Security
CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.
Discover →The OpenSearch fork
After Elastic’s licence change in January 2021, Amazon Web Services announces the OpenSearch fork, based on the last Apache 2.0 versions of Elasticsearch 7.10 and Kibana 7.10. The first stable release OpenSearch 1.0 is dated 12 July 2021, under Apache 2.0 and governed by a community foundation (from 2024 the OpenSearch Software Foundation under Linux Foundation).
The fork inherits many features from Open Distro for Elasticsearch and adds new plugins developed by the community and AWS.
Security Analytics plugin
On 15 November 2022 OpenSearch 2.4 was released, introducing the Security Analytics plugin: a native SIEM solution for OpenSearch with a detection-as-code approach.
Initial version features:
- Detectors — logical entities ingesting logs from a specific domain (network, DNS, Windows, Linux, AD, AWS CloudTrail, Azure, GCP, GitHub)
- Sigma rules — native support for the Sigma format, open standard for SIEM rules
- Findings — rule results with context, severity and timestamp
- Alerts — finding escalation through the Alerting plugin
- Rule editor — rule creation and editing via OpenSearch Dashboards UI
Correlation engine (OpenSearch 2.7)
In May 2023, with OpenSearch 2.7, a correlation engine was added, enabling:
- Correlation rules — links between findings across different detectors
- Threat intelligence feed — integration with STIX/TAXII and commercial feeds
- Finding graph — visualisation of relationships between events
- Campaign detection — aggregation of related findings
Licence and governance
- OpenSearch — Apache 2.0 (OSI-approved)
- Security Analytics plugin — Apache 2.0
- Governance — from September 2024 under OpenSearch Software Foundation, part of Linux Foundation, with corporate contributors (AWS, Uber, SAP, Canonical, Aiven, ByteDance, Oracle, Atlassian)
This approach removes the licensing concerns affecting Elasticsearch post-2021.
Sigma integration
Sigma is a YAML standard for SIEM rules agnostic of the backend. Security Analytics can import Sigma rules and translate them into OpenSearch queries. The Sigma project publishes community rules (github.com/SigmaHQ/sigma) covering MITRE ATT&CK techniques for Windows, Linux, network, cloud.
This makes OpenSearch Security Analytics interoperable with the modern detection engineering ecosystem.
Adoption
- Cloud providers — AWS OpenSearch Service with Security Analytics preconfigured
- Companies with OSI licence constraints — alternative to Elastic Security
- European operators — scenarios with data sovereignty and self-hosted SIEM
- Integration with existing OpenSearch — security extension of clusters already in use for logs and observability
In the Italian context
OpenSearch Security Analytics is chosen by public administration, telcos, MSSPs preferring OSI-approved licences and wanting SIEM on self-hosted or sovereign cloud infrastructure. Availability of community Sigma rules reduces initial detection engineering effort, leaving room for context-specific tuning.
References: OpenSearch Security Analytics (OpenSearch 2.4, 15 November 2022). Correlation engine (OpenSearch 2.7, May 2023). OpenSearch fork started by AWS on 12 April 2021; OpenSearch 1.0 released 12 July 2021. Apache 2.0 licence. Governance: OpenSearch Software Foundation (Linux Foundation, 2024). Website: https://opensearch.org