From Logs to Answers: A Practical SIEM Copilot

Join us for an Apache Kafka® meetup on Wednesday, October 1st from 6:00pm in Lisbon hosted by Marionete!

📍Venue:
Marionete
Praça Duque de Saldanha, Atrium, 9D
You can come into the offices through one of the two side streets:
Av. Casal Ribeiro 63, Atrium, Lisboa, Portugal
Avenida Fontes Pereira de Melo , Atrium, Lisboa, Portugal

If you cannot attend, please change your RSVP so someone else can join! Thank you!

🗓 Agenda:

• 6:00pm: Doors open
• 6:00pm - 6:30pm: Food, Drinks & Networking
• 6:30pm - 7:15pm: Gonçalo Valente, Lead MLOps, Marionete
• 7:15pm - 8:00pm - Additional Q&A & Networking

💡 Speaker:
Gonçalo Valente, Lead MLOps, Marionete

Title of Talk:
From Logs to Answers: A Practical SIEM Copilot with Confluent Kafka, Vector Search & LLMs

Abstract:
Security teams drown in logs and still miss what matters. In this session I’ll show a compact, production-minded pattern for turning raw SIEM events into concise, explainable answers—using Confluent Kafka (KRaft) for transport, a lightweight vector store for retrieval, and LLMs (Azure OpenAI) for summarization. It’s an end-to-end demo you can run in Docker: a Kafka topic receives SIEM-like events; a consumer normalizes, fingerprints, and batches them for embeddings; vectors land in Chroma; and a tiny API/app lets you ask “Were there any noteworthy incidents in the last 48 hours?” and returns an answer with highlights and sources.
I’ll cover the practical bits that make this usable beyond a toy:

• Stream design: schema-lite normalization for common SIEM sources; deduping via content fingerprints; handling late/duplicate data.
• Ops & cost controls: batching, backpressure, idempotent upserts, and safe defaults for embedding/chat usage.
• Security & hygiene: basic PII redaction patterns and metadata-driven retention.
• Developer experience: one-command Docker startup, Kafka UI for visibility, synthetic event producer for repeatable demos.
• Adaptation path: where Confluent components like Schema Registry, RBAC, Connect, and ksqlDB slot in as you harden the PoC.

You’ll leave with a small, clear blueprint you can adapt to your own estate—plus a working demo you can show to both managers (executive summary) and analysts (drill-down context with citations).

Bio:
Gonçalo Valente is a Lead MLOps engineer at Marionete with a background in software development and DevOps. Over the past few years he has focused on containerized, end-to-end platforms that bridge data engineering and applied ML—prioritizing reliability, developer ergonomics, and cost awareness. He’s especially interested in how modern container tooling and streaming patterns (Kafka) can power retrieval-augmented workflows that turn messy operational data into actionable, auditable answers.

***
DISCLAIMER
NOTE: We are unable to cater for any attendees under the age of 18.
If you would like to speak or host our next event please let us know! community@confluent.io