What is SAVANT?
SAVANT is our Security Information and Event Management (SIEM) system based on the Elastic Stack. SAVANT aims to collect log, audit, traffic, metric, and other information in one central place for security analytics. This system is an open source analytics and visualisation platform designed to work with Elasticsearch. It can be used to search, view and interact with data stored in Elasticsearch indices. It can easily perform advanced data analysis and visualise data in a variety of graphs, tables and maps.
Its simple, browser-based interface enables the user to view dynamic dashboards that display changes to Elasticsearch queries in real time. A SAVANT dashboard displays a collection of visualisations and searches that can be tailored to suit a unit’s requirements. Every public interface has been designed with scalability in mind in order to allow growth without forcing changes upon existing users.
SAVANT is presented to the University based on two components:
- Data processing pipeline using Logstash to ingest, transform, and enrich data from a variety of sources like Beats, Syslog, NetStream;
- Data analysis, visualisation, and reporting using Kibana and Elasticsearch API. Data access is managed by University SSO.
How to gain access to SAVANT
SAVANT is open to everyone in the University who wishes to contribute data and obtain access to all the wonderful features of Elastic stack without having to host it. As the service is still in development, we are currently granting access to teams who will be able to actively contribute data logs (eg. firewall, server logs). Access to SAVANT is managed by the Oxford Single Sign-On.
If you would like to gain access or require pre-existing access to be amended, please contact oxcert@infosec.ox.ac.uk or 01865 (2)82222 and provide the following information:
- SSO usernames and email addresses of those who require access.
- The department or college affiliation of those who require access.
- What data it is that you require access to (eg. vulnerability scanning reports, baseline reports, etc.)
Further guidance and information on SAVANT