0.3.0 - Claude Code Plugin
New Features
- SIEM supports Splunk / ELK, allows custom log configuration metadata, and adds a unified log retrieval interface for LLMs.
- Claude Code Plugin reaches its official release and supports most core ASP capabilities.
- Claude Code Plugin includes 8 skills and 1 agent for common investigation workflows across Case, Alert, SIEM, Knowledge, and related capabilities. The current recommended integration is Skills.
Improvements
- SIRP UI layout and field-level permission control have been improved.
- Removed the Dify / Mem0 plugins and dropped Neo4j / Chroma support.
Developer Notes
SIEM is the core platform in a SOC and carries all log data. Both humans and LLMs need an interface to search logs in SIEM for enrichment or investigation.
Splunk is the leader in commercial SIEM, and ELK is the most common open-source SIEM solution, so ASP first chose to support these two platforms. ASP standardizes the log interface so external callers do not need to care about the underlying SIEM implementation.
SIEM platforms usually do not maintain log descriptions directly in the platform itself, such as the purpose of a specific index or the meaning of fields within an index. The traditional approach is to store this information in an external wiki, where security personnel check the documentation to understand log usage, but that approach is not friendly to integration or LLM-based retrieval and analysis. ASP stores this data in YAML files and exposes it through a unified external interface, which makes it easier for LLMs to consume. It can also serve as reference files in the Claude Code Plugin.
In the current environment, it is a hard requirement for users to operate platforms or software through natural-language conversation. There are currently two approaches:
- Implement a conversation interface and harness engineering directly in the platform UI.
- Integrate with external harness engineering.
From the perspectives of system maturity, user acceptance, and implementation effort, the second approach is the better choice.
ASP needs to expose interfaces that allow LLMs to operate the platform. Early versions prioritized integration with external Harness Agents and split capabilities into fine-grained tools, skills, and agent workflows. Later versions moved the runtime boundary to the asp CLI and Agent Operations API for progressive loading, stable JSON output, and clearer authentication configuration.
Given that ASP's target users are professional cybersecurity practitioners and are generally comfortable with the command line, Claude Code became the preferred harness engineering tool.
Once ASP can integrate with external tools such as Claude Code, UI-based workflows like Dify are no longer necessary. User interaction, memory management, and multi-agent orchestration are handled by Claude Code.
Mem0's strengths are its simple interface and native GraphRAG support. Its weaknesses are that it depends on an external graph database (Neo4j), requires extra LLM analysis when building GraphRAG, and performs poorly.
Mem0 is mainly designed for personal assistants and long-term memory, while ASP uses RAG as a knowledge base to provide reference information for SecOps and is usually not large. In practice, keyword and semantic hybrid search, implemented through sparse and dense vectors, is enough to meet performance requirements. Accuracy can also be ensured by increasing the number of returned results and using a rerank model.
Neo4j is used by Mem0, and once Mem0 is no longer used, it is unnecessary as well. The Qdrant plugin is already integrated into ASP and supports both sparse and dense vector storage, so Chroma is no longer needed either.