OxiSec SIEM Guide

🎯 Overview

OxiSec SIEM generated by your firewall and network devicesCollect syslog data analyzeris a security incident management platform. Every log coming to the system:

1. Routed to a custom parser by device type (FortiGate / MikroTik / WG / Keenetic)
2. IP addressesGeoIPenriched with (country, city, ISP)
3. Threat Intelligence checked against sources (abuse_score, Tor exit, known bad IP)
4. A.I. scoring (Qwen 2.5 native) gives each log a threat score of 0-100
5. running every 5 minutescorrelation engineScans against 20+ patterns (mail, Windows, firewall)
6. Related alarmsIncident Builderautomatically grouped by
7. For every incidentA.I. summary + MITER tags + recommendationsis produced

🚀 Quick Start (15 minutes)

📖 Core Concepts

Terms you will frequently see in the OxiSec panel:

🔥 FortiGate Installation

Installing syslog via FortiGate FortiOS ends with 3 commands.

Installation via CLI (all FortiOS versions)

# Connect to FortiGate CLI via SSH or console
# Paste the following commands (replace IP and port with the one given to you)

config log syslogd setting
    set status enable
    set server "syslog.oxisec.com"        # The address given to you
    set port 5514                          # The port given to you
    set facility local7
    set format default
    set mode udp
    set enc-algorithm disabled
end

# Include all traffic logs
config log syslogd filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set anomaly enable
    set netscan-discovery enable
    set netscan-vulnerability enable
end

Installation via GUI

1. Log in to the FortiGate web interface
2. Log & Report → Log Settings
3. Remote Logging → Syslog → Enable
4. Server: syslog.oxisec.com · Port: 5514 · Facility: Local7
5. Save, wait a minute, see the logs on the dashboard

📡 MikroTik Installation

2 commands are enough for RouterOS. All categories of logs are sent to OxiSec.

# RouterOS CLI (Winbox Terminal or SSH)

#1. Add remote syslog action
/system logging action
add name=oxisec target=remote remote=syslog.oxisec.com remote-port=5514

# 2. Send log topics (firewall, info, warning, error)
/system logging
add topics=firewall action=oxisec
add topics=info action=oxisec
add topics=warning action=oxisec
add topics=error action=oxisec
add topics=critical action=oxisec

Detailing firewall logs (recommended)

# Add log to all drop rules
/ip firewall filter
set [find action=drop] log=yes log-prefix="drop:"

# If you want to log in NAT too
/ip firewall nat
set [find] log=yes log-prefix="nat:"

🛡 WatchGuard Setupu

syslog setting for WatchGuard Fireware OS.

1. Login to WatchGuard web console
2. System Status → Syslog Server
3. Enable Syslog
4. Server: syslog.oxisec.com · Port: 5514 · Protocol: UDP
5. Log Format:IBM LEEForsyslog
6. Don't forget to turn on the "Log" tick of the Save and firewall policies.

🌐 Keenetic Installation

Syslog via CLI for Keenetic routers.

# Keenetic CLI (Web Interface → System → CLI)
system syslog server syslog.oxisec.com 5514
system syslog rotate
system log level info
save system configuration

⚙ Generic Syslog

For unsupported devices, the generic parser comes into play. Most syslog compatible devices work:

• pfSense · OPNsense
• Cisco ASA · Meraki
• Sophos XG · SG
• Checkpoint · FortiWeb
• SonicWallJuniper
• Linux syslog-ng/rsyslog

Generic parser; It pulls basic fields such as IP, port, protocol, action, timestamp.Private parser in Enterprise planWe can improve.

🔒 2FA Setup

2FA adds an additional layer of security to your account. Even if the password is compromised, the attacker cannot reach the 6-digit code on your phone.

Supported Authenticator Apps

• Google Authenticator (iOS / Android) — most common
• Microsoft Authenticator — good with business accounts
• Authy — device synchronization
• 1Password — with your password manager in one place
• bitwarden — open source alternative

Installation Steps

👥 User & Roles

OxiSec offers four roles via RBAC. Each user can be linked to one or more tenants.

• Super admin — All tenants, plans, notification templates, adaptive parser approval
• Tenant admin — Device, user, rule, webhook, and API key management
• Analyst — Logs, alerts, incidents, hunt, correlation; cannot change configuration
• Viewer — Read-only dashboard and reports

New user: Settings → Users → + New User. On the MSSP plan, switch between customers via the tenant selector in the header.

⚡ Alarm Rules

28+ rules are available on the Dashboard. Your own rulesAlarm RulesYou can add it from the page. There are 14 different rule types:

• Link Rule — src→dst:port flexible filtering
• Port Access Detection — number of accesses to specific port
• Geographic Access — whitelist/blacklist country based
• Threat Intelligence — Tor exit, malware IP etc.
• Blacklist IP Communication — known bad IP
• Log Threshold — K number of logs in N minutes
• Same IP Duplication — again from the same source
• Number of Different Values — DDoS, port scan
• Bandwidth — traffic volume
• Failed Login — brute force
• Hotspot Brute Force — guest WiFi attack
• Account Sharing — same user with multiple IPs
• Log Message Pattern — regex pattern match
• A.I. Threat Score — 0-100 score threshold

📋 Incident Stream

Incident Builder runs every 3 minutes. Groups related alarms according to 5 rules:

1. Same /24 subnet — alarms from the same network block
2. Same destination port — coordinated port attack
3. Same src_ip — same attacker, different pattern
4. critical single alert — stand-alone event with severity=critical
5. Devam eden olay — the last 30 minutes are added to the open incident

Access Status — critical metric

Each incident comes with an access status:

• blocked — All attempts blocked, NO access to the system
• partial — Some attempts may have been successful, check them out
• compromised — Successful login detected, immediate action

📁 Case Management (Cases)

On the business+ plan, incidents can be converted to official cases. The case module provides SLA tracking, assignment, and audit trail.

1. Incident detailConvert to Case— or Cases →+ New Case
2. Enter assigned analyst, priority and target close date (SLA)
3. Status flow: open → investigating → resolved → closed
4. Forensic bundle and activity log are automatically linked to incident recording

Related alerts and logs can be reviewed on a single screen by IP or user on the Entity Timeline page.

🔍 Hunt & Hunt A.I.

Hunt page offers advanced log search: saved queries, aggregate, timeline modes and MITER-focused ready-made filters.

Hunt A.I. (business+): Ask in natural language — the assistant converts to a SIEM filter and lists evidence logs. Example: "Any RDP attempts from Russia in the last 24 hours?"

• Investigation Mode — 7 parallel queries for IP or user + A.I. verdict
• Scheduled Hunt — Save the query and run it periodically (Hunt → Save → Schedule)
• From the alarm card on the SOC screenA.I. DrawerQuick Review / Explain with

🤖 Auto-Mode

Automatic action for IPs exceeding the threat score threshold. Enabled per device.

• Skor 90+ — Automatic blacklisting (approval queue or instant)
• MikroTik API — address-list with firewall blocking; automatic removal when time expires
• FortiGate API — Add IP to blocking group (depends on device configuration)
• All blocksActivity Logand webhook auto_mode.blocked_ip registered in event

Setup: devices → device line → Auto-Mode toggle. Enter the API user/password and block list name for MikroTik.

🎯 20+ Correlation Patterns

Each pattern detects specific attack behavior:

🪟 Windows Event Log

Windows Event Log integration for Active Directory, RDP and file server events.

1. To the serverNXLogor install similar agent
2. Syslog target: given to you syslog.oxisec.com:5514
3. Security channel: Event ID 4624 (success), 4625 (fail), 4648, 4776
4. Panel →Windows Analytics— RDP brute force, privilege escalation view

📧 e-mail Security

Send Plesk, Postfix, hMailServer and MailEnable logs via syslog.

• Plesk — Domains → Logs → Remote syslog
• hMailServer — Settings → Advanced → TCP/IP → Syslog forwarding
• Panel →e-mail Security— SMTP brute, banner sweep, outbound spam analysis

For e-mail communication logs within the scope of 5651,5651 Keep LogEnable flag. Detail: 5651 compliance pages.

📊 SNMP Monitoring

Monitor CPU, memory and interface metrics of network devices outside the firewall/router.

1. devices → enter SNMP community/v3 information when adding or editing devices
2. Panel →SNMP Monitor— uptime, CPU %, port status
3. When the device is offline device_offline correlation pattern is triggered

⚖ 5651 Legal Log Retention

Traffic and communication logs within the scope of 5651 are archived and signed with HMAC-SHA256.

1. devices → device →5651 Keep Logtoggle
2. The system produces a signed bundle every hour (CSV / tab-separated)
3. Download from Compliance → 5651 or Forensic Bundles
4. Hash verification tool for court/audit is available in the panel

Detailed guide: 5651.html

📥 Sigma Import

Convert community Sigma rules to OxiSec alarm rule (Starter+).

1. Menu →Sigma Import
2. Paste or load Sigma YAML file
3. Preview → Mapping to OxiSec rule type → Save
4. Simulate Run a dry-run on the last 24 hours of data with

🏢 MSSP & Tenant Sites

MSSP plan It provides separate reports per unlimited tenant, white-label brand and customer.

• Tenants — Create new customer, assign plan
• Tenant Branches — Group devices by location code (Headquarters, Frankfurt, Virginia)
• Tenant Profilees — Hotel hotspot etc. correlation threshold multiplier for
• Instant switching between customers with header tenant selector

📊 Reports

Panel →reports— 10-section SOC PDF report:

• Executive summary, alert trend, attacker/target profile
• MITER distribution, pattern frequency, incident timeline
• MTTA / MTTR metrics, A.I. insights

Starter+: Monthly automatic PDF e-mail.business+: KVKK / ISO 5651 compliance checklist PDF. Periodic sending: Settings → Reports → Schedule.

📨 Telegram Notification

In critical events, you will instantly receive a Telegram message on your phone.

📧 e-mail SMTP

e-mail sending works automatically in Cloud plans. In on-prem deployment You can configure your own SMTP server in Settings → e-mail SMTP.

SMTP Host: smtp.gmail.com
SMTP Port: 587 (STARTTLS) or 465 (SSL)
Username: siz@gmail.com
Password: application password (if 2FA is active)
From Address: alerts@yourcompany.com
Encryption: STARTTLS

🔌 Webhook Integrationu

When a critical alarm is triggered, OxiSec sends a message to the HTTP endpoint you specify.HMAC-SHA256 signed JSON payloadsends. Slack, Teams, Discord, Integrate n8n/Zapier/Make with your own SOAR system or CRM.

Setup

1. Log in to the panel → left menu →webhook
2. + New Webhook click the button
3. Select the name, destination URL and events you want to listen to
4. Secret is generated automatically — copy and save to safe place (will not be shown again)
5. 🧪 Send Test You can try sample payload with the button

Event Types

Payload Structure

Each event uses the same top-level schema. data field contains event-specific data:

POST https://your-server.com/webhook
Content-Type: application/json
User-Agent: OxiSec-Webhook/1.0
X-OxiSec-Event: alert.critical
X-OxiSec-Webhook-Id: 42
X-OxiSec-Delivery-Id: 1715430000123
X-OxiSec-Signature: sha256=a8f3c9d2e7b4f1a9...

{
  "event": "alert.critical",
  "timestamp": "2026-05-11T14:32:05Z",
  "tenant_id": 11,
  "data": {
    "ID": 2847,
    "title": "SSH Brute Force from 203.0.113.45",
    "severity": "critical",
    "source_ip": "203.0.113.45",
    "dst_ip": "10.0.0.5",
    "dst_port": 22,
    "src_country": "NL",
    "tenant_name": "Anadolu Energy",
    "description": "247 failed SSH attempts in 10 minutes",
    "created_at": "2026-05-11T14:32:05Z"
  }
}

Signature Verification (Security)

OxiSec signs each payload with HMAC-SHA256.By checking the signature on the customer sideyour wish is really You verify that it comes from OxiSec — fraudulent requests are rejected.

PHP

$payload = file_get_contents('php://input');
$secret = 'webhook-secret-burada';
$expected = 'sha256=' . hash_hmac('sha256', $payload, $secret);
$received = $_SERVER['HTTP_X_OXISEC_SIGNATURE'] ?? '';

if (hash_equals($expected, $received)) {
    $data = json_decode($payload, true);
    //Verified — process payload
} else {
    http_response_code(401);
    die('Invalid signature');
}

Python (Flask)

import hmac, hashlib
from flask import request

SECRET = 'webhook-secret-burada'

@app.route('/webhook', methods=['POST'])
def webhook():
    body = request.get_data()
    signature = request.headers.get('X-OxiSec-Signature', '')
    expected = 'sha256=' + hmac.new(
        SECRET.encode(), body, hashlib.sha256
    ).hexdigest()

    if not hmac.compare_digest(signature, expected):
        return 'Invalid signature', 401

    data = request.json
    # Process...
    return 'OK'

Node.js (Express)

const crypto = require('crypto');
const SECRET = 'webhook-secret-burada';

app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
  const signature = req.headers['x-oxisec-signature'];
  const expected = 'sha256=' + crypto.createHmac('sha256', SECRET)
    .update(req.body).digest('hex');

  if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    return res.status(401).send('Invalid signature');
  }

  const data = JSON.parse(req.body.toString());
  //Process...
  res.send('OK');
});

Error Management and Retry

Audit Log

All webhook submissions webhook_deliveries is recorded in the table. On the detail page of each webhook in the panellast 50 postsappears: pass/fail, HTTP response code, duration, number of attempts, error message. "Did he come or not?" There is no question.

🔑 REST API

On the business+ plan, API keys can be created for programmatic access.

1. Settings →API Keys→ + New Key
2. Select Scope: alerts:read, hunt:query, logs:read (according to your plan)
3. You only see the key once — keep it safe
4. Header in requests: Authorization: Bearer <api_key>

# Example: last open alarms
curl -s -H "Authorization: Bearer ox_live_xxxx" \
  "https://mssp.oxisec.com/api/alerts?status=open&limit=10"

For event triggering and automation Webhook You can also use integration. Full OpenAPI documentation will be released soon.

🎯 MITRE ATT&CK Mapping

Each pattern is automatically mapped to tactics and techniques in the MITRE ATT&CK framework. Visible in reports and available in audits.

Total12 patterns → MITER mappingAnd21 techniquesReady loaded. new techniquesSettings → MITERYou can add it from the page.