Add SQL query support to LogExplorer via OpenSearch

[elmilan06]

Describe the feature

Enhance the existing LogExplorer module in the SIEM platform by adding support for SQL-based querying over OpenSearch indices. This feature introduces a new component that allows users to write and execute SQL queries, offering a more flexible and familiar way to interact with log data.

Currently, LogExplorer supports native OpenSearch queries. With this enhancement, users will be able to use SQL syntax to perform advanced searches, aggregations, and correlations directly from the SIEM interface.

Use Case

Security Analysts can use SQL to perform complex queries across multiple indices using JOINs, GROUP BY, and WHERE clauses.

Threat Hunters can build reusable SQL queries to detect patterns and anomalies in log data.

Compliance Officers can generate structured reports using SQL for audits and regulatory requirements.

Developers and Engineers can integrate SQL queries into automation pipelines or dashboards.

Proposed Solution

Frontend Component: Develop a new SQL Query Panel within LogExplorer that includes:
- SQL syntax highlighting and autocomplete
- Query validation and error handling

Backend Endpoint: Implement a dedicated API endpoint to receive SQL queries from the frontend, validate them, and route them to OpenSearch.
- OpenSearch Connector Extension: Extend the existing OpenSearch connector used by the platform to support SQL query execution via OpenSearch’s SQL plugin. This includes:
- Handling query translation and response formatting
- Supporting pagination and performance optimization

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change