Ask Concord

Answers from our documentation

Ask anything about Concord. Every answer comes from our actual documentation.

IaxaIConcord

Surface: Detection Portability Layer

Write a detection once. Run it on every client's stack.

Concord by IaxaI Detection Portability Layer takes one OCSF-native detection and emits it back in the vendor dialect each client runs: Splunk SPL, Sentinel KQL, CrowdStrike LogScale, Sigma. Powered by the Reverse Transpiler. Stop maintaining the same rule in five different languages.

Authoring detections five times for five clients?

The Problem

One detection. Thirty clients. Five vendor languages. Math doesn't work.

Your senior detection engineer writes a great rule against your primary client's CrowdStrike. Now translate it into Splunk SPL for the next client. Then KQL for the bank running Sentinel. Then Sigma for the one with three EDRs. The detection drifts in every dialect. Tuning happens five times. Coverage gaps appear and nobody notices until the audit.

The Outcome

One canonical rule. Vendor-native output. Same intent everywhere.

Author the detection once against the Concord schema. The Reverse Transpiler emits SPL for the Splunk shop, KQL for the Sentinel shop, LogScale for the CrowdStrike shop, and Sigma YAML for whatever else lands. One rule to maintain. Coverage stays consistent across the whole client base.

How It Works

Author. Compile. Deploy.

Step 1: write the detection in OCSF

Reference fields by their canonical OCSF names. Express the logic against the Concord schema. No vendor coupling at authoring time. No lowest-common-denominator compromises.

Step 2: the Reverse Transpiler emits the vendor-native version

Concord compiles the OCSF detection back into the target vendor's query language using the same vendor mapping packs that drive forward translation. SPL, KQL, LogScale, Sigma. The Reverse Transpiler is on the V1 build list. The forward path and the mapping infrastructure it depends on ship today.

Step 3: deploy to the client's native platform

The emitted rule runs unchanged in the client's SIEM, EDR, or SOAR. No agent to install. No rip-and-replace. The detection executes natively where the data already lives. Concord doesn't sit in the alert path, it just writes the rule.

Step 4: provenance threaded through every emission

Each compiled detection carries the source OCSF rule, the target vendor, the mapping pack version, and the transpiler version. Signed with Ed25519 and written to the audit ledger. When a client asks "is this the same rule we saw last quarter?" the answer is yes, and you can prove it.

What It Sits On

The Reverse Transpiler is the engine-side enabler. DPL is the buyer-facing surface.

Consumes

Translation Engine. Reverse Transpiler.

The same vendor mapping packs that translate vendor events into OCSF run in reverse to compile OCSF detections back into the vendor's native query language.

Produces

Vendor-native rules. Signed provenance.

SPL, KQL, LogScale, Sigma. Each emission carries the canonical source rule, mapping version, and transpiler version, written to the per-tenant audit ledger.

Status

Forward path shipped. Reverse Transpiler is V1.

Shipped

  • OCSF-native forward translation across 30+ vendor mappings and 6 production-ready connectors.
  • Calibrated mapping confidence so transpiled rules inherit a defensible signal-to-vendor binding.
  • Audit ledger primitives ready to anchor every compiled detection emission.

V1 build list

  • Reverse Transpiler: OCSF detections back to SPL, KQL, LogScale, and Sigma YAML.
  • Per-emission provenance bundle written to the per-tenant audit ledger.
  • Documented round-trip fidelity targets per supported vendor. Published, not hidden.

Why It Matters

Detection engineering at MSSP scale only works if the rule travels.

For a single-tenant security team, writing a detection in their own SIEM's native language is fine. For an MSSP with twelve clients across five vendor stacks, the math breaks down fast. A senior detection engineer's output gets divided by the number of dialects they have to maintain. Any rule that doesn't make the trip becomes coverage gap.

DPL flips the equation. The rule is authored once against the canonical schema and the Reverse Transpiler does the dialect work. Detection coverage scales with the engineer's rule output, not with the number of vendor backends. Every emission is signed and ledgered, so "is this the rule we agreed to last quarter" stops being a Slack search.

Honest about the round-trip

Vendor query languages aren't isomorphic. Some expressive primitives don't round-trip cleanly across every dialect. Concord publishes a fidelity score per vendor target rather than pretending the translation is lossless. When a rule can't be expressed natively, the transpiler refuses with a reason instead of silently emitting something that drifts.

Stop reconciling. Start trusting one timeline.

30-minute walkthrough. Your tools. Your tenants. Your audit cycle. We will show you exactly where Concord earns its keep.