Live · 4M+ events/sec ingestedv2.4.1 released 3 days ago

The SIEM that
sees the attack
before it lands.

Community-built. Production-hardened. Ingests 4M events/sec, correlates lateral movement chains in real time, and surfaces what commercial SIEMs bury in noise — without the six-figure invoice.

Deploy Sentinel NowTry Live Demo12.4k stars
sentinel-dashboard · live
INGESTING4,182,344 events
Log Stream4,182,344/s
20:35:36INFOauth.success user=jsmith service=vpn
20:35:36WARNport.scan detected ports=22,80,443,8080
20:35:37INFOdns.query domain=api.internal.corp
20:35:37CRITlateral.move SMB→DC01 hash=a7f3c2d1
20:35:37INFOprocess.create chrome.exe ppid=explorer
20:35:38WARNlogin.fail attempts=5 user=admin
20:35:38CRITmimikatz.sig LSASS dump detected
20:35:38INFOfile.write C:\Users\jsmith\report.pdf
20:35:39WARNnet.connect beaconing→185.220.101.45
20:35:39CRITc2.traffic encrypted beacon interval=30s
20:35:39INFOk8s.deploy sentinel-agent v2.4.1
20:35:40INFOauth.success user=mkumar service=ssh
20:35:36INFOauth.success user=jsmith service=vpn
20:35:36WARNport.scan detected ports=22,80,443,8080
20:35:37INFOdns.query domain=api.internal.corp
20:35:37CRITlateral.move SMB→DC01 hash=a7f3c2d1
20:35:37INFOprocess.create chrome.exe ppid=explorer
20:35:38WARNlogin.fail attempts=5 user=admin
20:35:38CRITmimikatz.sig LSASS dump detected
20:35:38INFOfile.write C:\Users\jsmith\report.pdf
20:35:39WARNnet.connect beaconing→185.220.101.45
20:35:39CRITc2.traffic encrypted beacon interval=30s
20:35:39INFOk8s.deploy sentinel-agent v2.4.1
20:35:40INFOauth.success user=mkumar service=ssh
Correlation Engine · Active ChainLATERAL MOVEMENT DETECTED
EP-017DC-01C2EndpointDomain ControllerExternal C2T1550.002T1071.001
Pass-the-HashLSASS DumpC2 Beacon
Severity Heatmap · Last 24h6h intervals
00:0006:0012:0018:00now
Events / sec
4.1M
+2.3%
Active Rules
383
+4 today
Open Incidents
7
2 critical
Endpoints
1,247
all healthy
CRITICAL · RULE FIREDjust now
lateral-movement-chain-v3
EP-017 → DC-01 via Pass-the-Hash + LSASS dump → C2 beacon detected
T1550.002T1071.001
Kafka · connectedElasticsearch · healthyRedis · 87% memory
sentinel-core · 2026-02-27 20:35:36 UTC

By the numbers

Built for production.
Not for demos.

0M events/sec
Peak Ingestion
Kafka-backed pipeline, zero data loss
0+
Detection Rules
Community-maintained, MITRE-mapped
0 min
Time to Deploy
Docker one-liner. No license key.
0$
License Cost
Apache 2.0. Fork it. Ship it.

Capability

From log chaos
to attack chain
in milliseconds.

Sentinel's correlation engine doesn't just alert — it reconstructs the full attack narrative. SOC analysts see the complete kill chain, not 847 individual alerts.

94% noise reduction in production

Four layers.
One attack chain.

Sentinel's pipeline transforms millions of raw log lines into a single, actionable incident — without losing the evidence trail.

01

Ingest & Normalize

Kafka topics receive logs from every source. Parsing pipelines normalize to ECS schema in real time.

02

Enrich & Contextualize

IOC matching, geo-lookup, asset inventory join, and threat intel enrichment happen at ingestion time.

03

Correlate Across Time

Sliding-window correlation engine links signals across 24-hour windows. Temporal context surfaces kill chains.

04

Fire & Respond

Rule matches trigger alerts with full context. Playbooks auto-respond. Analysts see signal, not noise.

Core Engine

Multi-stage Correlation

Chain low-fidelity signals across time windows into high-confidence attack narratives. Reduce alert volume by 94%.

Intelligence

MITRE ATT&CK Mapping

Every detection rule tagged to ATT&CK tactics and techniques. Navigator export in one click.

DevSecOps

Detection-as-Code

Write Sigma rules in YAML, test in CI, deploy via GitOps. Your detections live in version control.

Automation

Automated Playbooks

Trigger Jira tickets, PagerDuty pages, or custom webhooks the moment a rule fires. Zero manual triage.

Integrations

Cloud-Native Ingestion

Native connectors for AWS CloudTrail, GCP Audit Logs, Azure Sentinel, Kubernetes audit, and 40+ sources.

Enrichment

Threat Intelligence Feeds

Enrich detections with AlienVault OTX, Abuse.ch, and custom STIX/TAXII feeds. IOC matching at ingestion time.

Community

Built by SOC analysts,
for SOC analysts.

Every detection rule comes from someone who was paged at 3am because of it. This is security software written by the people who use it.

12,441GitHub Stars
347Contributors
1,892Forks
383Detection Rules

347 contributors and counting

AK
SR
MC
TL
BP
YK
DF
RM
CW
NJ
HA
ZB
+335
We replaced a $340k/year Splunk contract with Sentinel in six weeks. Detection coverage went up. Alert fatigue went down. My team actually sleeps now.
MW
Marcus Webb
Head of Security Operations · Lattice Systems
The detection-as-code workflow is what sold me. We test Sigma rules in CI before they ever hit production. No more 3am pages from a broken rule.
PN
Priya Nambiar
Principal DevSecOps Engineer · Cloudvault Inc.
As a 12-person startup, we needed enterprise-grade SIEM. Sentinel gave us MITRE coverage, cloud log ingestion, and a correlation engine in one afternoon.
JO
Jordan Osei
CISO · Meridian Health AI

Zero Friction Deploy

No form. No sales call.
Just a running SIEM.

Pick your deployment method. Copy the command. You'll have Sentinel ingesting logs before your next coffee.

Docker

Fastest

One command. Full stack. Elasticsearch, Kibana, and Sentinel correlation engine — all wired up.

docker run -d -p 5601:5601 -p 9200:9200 \
  ghcr.io/sentinel-siem/sentinel:latest
No config neededPersistent volumes optionalARM64 + AMD64
Deploy time
~4 minutes

Helm Chart

Production

Production-ready Kubernetes deployment with HPA, PodDisruptionBudgets, and RBAC pre-configured.

helm repo add sentinel https://charts.sentinel.dev
helm install sentinel sentinel/sentinel \
  --namespace security --create-namespace
HA by defaultPrometheus metricsGitOps ready
Deploy time
~9 minutes

Cloud Hosted

Zero Ops

Sentinel-managed infrastructure. We handle upgrades, backups, and scaling. You handle detections.

sentinel cloud init --provider aws \
  --region us-east-1 --tier starter
Managed upgrades99.9% SLAFree 14-day trial
Deploy time
~6 minutes

Minimum Requirements

CPU:4 cores
RAM:8 GB
Storage:50 GB SSD
Docker:20.10+
Full documentationWatch deploy walkthrough

Momentum

Shipping fast.
Community decides what's next.

Release Cadence

v2.2.0
ShippedNov 2025
Correlation Engine v2
Sliding-window correlationMITRE ATT&CK auto-taggingSigma rule hot-reload
v2.3.0
ShippedJan 2026
Cloud Connectors
AWS CloudTrail nativeGCP Audit LogsAzure Sentinel bridge
v2.4.1
CurrentFeb 2026
Detection-as-Code
CI/CD pipeline integrationSigma YAML testing frameworkRule coverage dashboard
v2.5.0
UpcomingQ2 2026
AI Triage Assistant
LLM-powered alert summarizationFalse positive auto-suppressionNatural language rule builder
v3.0.0
PlannedQ3 2026
Distributed Mesh
Multi-region correlationEdge sensor deploymentFederated threat sharing

Community Votes

AuthOkta/SAML SSO integration
847
UXGraph-based threat visualization
623
IntegrationServiceNow ITSM integration
541
CollabReal-time collaboration on incidents
489
AIAutomated threat hunting queries
412
Submit a feature request

The terminal is waiting.
Your first detection fires in 9 minutes.

No form. No sales call. No license key. Just a running SIEM that actually correlates attacks.

Deploy Sentinel NowStar on GitHub
$docker run -d -p 5601:5601 ghcr.io/sentinel-siem/sentinel:latest
Deploy Sentinel Now