16 Features

What a single SIEM should doeverything.

Correlation engine, A.I. analysis, Hunt assistant, Investigation Mode, e-mail security, forensic bundles, webhooks, 5651 compliance — the full suite of enterprise SIEM. Easy installation, deep analysis, audit-ready reports.

01 · Incident Management

5 events instead of 100 alarms.

Raw alarms are a nightmare. The same attacker gets caught in 20 different patterns in one day. Our Incident Builder intelligently clusters related alarmsto meaningful eventstransforms.

  • 5 Clustering rules: same /24 subnet, same target port, same src_ip, single critical alert, ongoing event
  • Access status: blocked / partial / compromised — risk at a glance
  • Runs every 3 minutes: It adds new alarms to the ongoing incident and automatically turns off those that remain idle for 30 minutes.
  • A.I. summary: "What happened? How did it happen? What should I do?" — Turkish report in 3 sentences
Active Incidents son 1 saat · 5 olay
Coordinated Attack on Port 6855 — 25 IPs
🔴 critical 🛡 blocked 34min 184K trials
Port Scan — 198.51.100.22
🟠high 🛡 blocked 17 ports 🇳🇱
Persistent Scan — 203.0.113.45
🟡medium 🛡 blocked 61 deniers 🇧🇬
02 · Korelasyon Motoru

20+ attack patterns, ready.

It is pointless to look at each log one by one. Correlation engine in firewall, mail and Windows traffic sees behavioral patterns — port scanning, SMTP brute, password spray, after-hours access and more.

  • Scanning every 5 minutes: 60 minute window, 3000 log processing capacity
  • Multi-stage compositing: 4 patterns from the same IP → single campaign alarm (A.I. verified)
  • Panelden FP: flag false positive → A.I. feedback; smart filters for e-mail noise
  • Custom rule + profile: Threshold multipliers with tenant profile (hotspot etc.); SQL correlation rules
  • Cooldown: same event not triggered again for 30 minutes — no alarm spam
Active Patterns 20+ ready
port_scan
persistent_scan
multi_stage_attack
brute_force_chain
credential_stuffing
password_spray
auth_failed_burst
smtp_auth_brute
protocol_sweep
inbound_spam_flood
outbound_spam_abuse
rdp_chain
lateral_movement
after_hours_access
traffic_anomaly
impossible_travel
03 · MITRE ATT&CK Mapping

Every event is a kill chain.

MITRE ATT&CK is the world's standard framework for classifying cyber attacks. Which tactic and technique corresponds to each incident — automatically is tagged and goes into your report.

  • 12 patterns → MITER mapping ready installed
  • With 21 technical seeds, add new techniques easily
  • Automatically included in reports — can be used in audits
Port 6855 Attack MITER mapping
Tactics:
TA0001Initial Access TA0007discovery
Techniques:
T1190Exploit Public-Facing App T1595Active Scanning T1046Network Service discovery
Timeline:
12:01:03
persistent_scan detection — 203.0.113.45
12:01:47
multi_source triggered — 3 subnets
12:03:12
Incident opened — INC-0075
12:35:00
Auto-resolved — 30dk durgun
04 · Device Support

Your firewall is already supported.

Supports out-of-the-box most common firewalls in the enterprise and SMB market. You can listen to any device that has syslog sending turned on — custom parsers with 99.9% parse success.

  • Automatic parser routing: detects the device type and directs it to the correct parser
  • 99.9% parcel success in production environments
  • Adaptive parser: unknown format → learned → approval from panel → promotion (e.g. pfSense slug)
  • Mail & Windows: Plesk, MailEnable, hMailServer, Windows AD/RDP event parsers
Supported devices out-of-the-box
FortiGate 99.9%
MikroTik 99.9%
WatchGuard 100%
Sophos ready
MailEnable ready
hMail/Plesk ready
pfSense / OPNsense learned→promotion
# MikroTik quick installation:
/system logging action add
  name=oxisec target=remote
  remote=oxisec.com remote-port=5514
05 · Security — 2FA

Two-step verification integrated.

Password alone is no longer enough. Google Authenticator, Microsoft Authenticator, Authy or 1Password — it all works. RFC 6238 standard.

  • Compatible with all authenticators (TOTP standart)
  • 10 kurtarma kodu: Login with backup codes if your phone is lost
  • Brute force protection: 5 mistakes in 15 minutes → account locked
  • Audit log: every login attempt is recorded (IP, user-agent, time)
2FA Setup ~2 minutes
User:
admin@acme-corp.example
Secret (manual entry):
JBSW Y3DP EHPK 3PXP
2FA enabled — every entry is protected
06 · Multi-Tenant SaaS

Ready for MSSP and agencies.

One panel, multiple customers. Each customer sees their own data, you manage each one. Ideal for security service providers.

  • Tenant isolation: At DB level, data never gets messed up
  • Role-based access: superadmin / tenant_admin / analyst / viewer
  • Plan management: Different limits per tenant (log/month, retention etc.)
  • Tenant switch: instant switching from header, in the same session
Customers 8 active tenants
Anadolu Energy Solar Power Plant 12,680 log/s
Anadolu Energy RES 20,232 log/s
Bosphorus Hotel 1,368 log/s
Lale Resort 271 log/s
Egemen Tur 240 log/s
07 · Compliance

KVKK and ISO 27001 friendly.

If the auditors want something — we are already ready. Log retention periods, hash signatures, user action logs, access controls — it's all standard.

  • 5651 uyumlu log saklama: Up to 2 years, hash signed, audit ready
  • Audit log: every user action is recorded (IP, time, detail)
  • Monthly automatic report: MTTR, number of events, compliance check list
  • Data privacy: data remains on-prem, even A.I. is local (Ollama)
Compatibility Frameworks checklist
KVKK
Türkiye
ISO 27001
International
5651
Log Saklama
GDPR
AB
✓ ISO 27001 A.12.4 Event Logging
"For systems, user activities and security events log records must be kept" —Ready.
09 · NEW — Hunt A.I. Assistant

Ask in Turkish, A.I. will answer.

The hardest part of SIEM: writing the right filter. Our A.I. assistant,you ask in natural languagequery sentence Converts it to a SIEM filter. Speech memory — remembers the previous question.

  • Speech memory: “SSH attempts from Russia” → “The most aggressive of these?” — remembers context
  • Evidence logs: It doesn't say "I applied that filter" — the example shows 3 logs, explains what it points to
  • Quick action: Side-by-side "🔬 Search" / "🚫 Blacklist" / "✅ Allowlist" buttons to IP response
  • Isolated A.I. engine: Hunt A.I. runs on a separate Ollama instance — the assistant is fast even when the pipeline is busy
💬 Hunt A.I. Chat son 3 mesaj
Siz
Are there any failed SSH attempts from Russia?
🤖 A.I.
Yes, 247 attempts found. Filter: src_country=RU + dst_port=22 + action=deny
🔬 Search Most Active IP 🚫 Blacklist them all
Siz
Blacklist the most active one(remembers previous context)
10 · NEW — Investigation Mode

7-step automatic research.

Probing an IP takes 10+ minutes in normal SIEM. Our Investigation Mode is one click away7 parallel queriesexecutes + A.I. produces verdict: allowlist? Does Intel have threat? Which tenants did it attack? geographical location?

  • 7 parallel steps: allowlist, alarm history, traffic status, affected tenants, behavior pattern, threat intel, geographic
  • A.I. Verdict: benign | suspicious | malicious | unknown — trust score + concrete recommendations
  • For both IP and user: "What does this IP do?" or "Is this user suspicious?"
🔬 IP Research 203.0.113.45 · 3.2s
Allowlist Control: not on the list
🚨
History Alarm (7g): 12 alarms (max: critical)
⚠️
Traffic (24h): 247 blocked, 0 accepted
📡
Affected Tenant: Anadolu Energy, Bosphorus
🔴
Threat Intel: AbuseIPDB 87/100
🌍
Geographical: Netherlands, DigitalOcean
Verdict: MALICIOUS (95% confidence)
→ Get blacklisted immediately and the relevant firewall rule will be triggered
11 · NEW — e-mail Security Analytics

Who is sending to whom — instant view.

critical for hosting and Windows mail servers: Plesk/Postfix,hMailServerand visually monitor MailEnable traffic. Banner sweep, SMTP brute force, account compromise indications — all automatically detected.outbound spamBe aware before you start.

  • Sender → Domain flow: Which address sends e-mail to which domain — weighted visual bar
  • Multi-IP warning: Compromise indicator if the same user sends from 3+ different IPs 🚨
  • Banner sweep detection: Captures SMTP discovery attacks of botnets in real time
  • Live feed: Last 30 mail movements pulse animated flow with LIVE badge
  • hMail AWStats: Summary traffic log (sender/recipient/SMTP code) — for high volume mail environments
📧 Mail Traffic ● LIVE
Sender Domain Mail
info@firma.example@gmail.com
247
sales@firma.example@outlook.com
142
admin@firma.example 🚨@unknown-domain.xyz1.2K
🚨 admin@sending the account from 3 different IPs — suspicion of compromising
12 · NEW — Forensic Bundles

Archive as court evidence.

When an incident is closed, it belongs to that event.all logs, alarms, timelinearchived in a single signed file. HMAC-SHA256 signature — if changed, it will be immediately obvious. It is presented as evidence when the court requests it.

  • HMAC-SHA256 signature: Data integrity guaranteed – no possibility of alteration
  • Automatic bundle: Automatically generated when each incident closes — no manual work
  • 5651 + KVKK uyumlu: Legal retention period (2 years) supported
  • e-mail logs included: e-mail communication logs are also signed and archived for Plesk customers.
📦 Bundle #4892 2.4 MB · Signed
Olay: Distributed SSH Attack
Duration: 14:23 → 15:47 (1s 24dk)
Attacker: 12 different IPs, 1547 attempts
Hedef: Anadolu Energy firewall
Contents:
✓ 1547 log records (CSV)
✓ 23 alarms + A.I. summaries (JSON)
✓ Timeline graphic (PNG)
✓ MITER TTP map
🔒 HMAC-SHA256
a8f3c9d2...e7b4f1a9
✓ Verified — integrity preserved
13 · NEW — Auto-Mode A.I.

Self-tuning SIEM.

When Auto-Mode is activated, the system changes depending on your device type.56 ready rule packautomatically installs. A.I. detects whether there is a false positive when the alarm is triggered. decides — filters out unnecessary notifications.

  • Device type automatic: Plesk → 25 rules, FortiGate/Sophos → 30, MikroTik → 23, Keenetic → 13
  • Dynamic threshold: A.I. learns "normal" traffic for each tenant, updates thresholds
  • FP filter: Alarm suppressed if A.I. evaluates probability 60+% false positive — no unnecessary messages
  • One-click on/off: Separate toggle for each device from the devices page
⚡ Auto-Mode Durumu 3 devices · 12 tenants
Anadolu Energy firewall 🤖 Auto ✓ · 25 kural
Lale Resort Plesk 🤖 Auto ✓ · 25 kural
Bosphorus MikroTik 🤖 Auto ✓ · 23 kural
📊 Son 24 saat:
1,247 alarmsproduced
389 alarms (31%)Filtered as FP by A.I.
→ Only meaningful ones are shown to you
14 · NEW — Webhook and Automation

Slack, Teams, n8n, your own SOAR.

When a critical alarm is triggered — sends HTTP POST to any system you want. Let it go to the Slack/Teams channel, open a Jira ticket, send the order to the firewall API, trigger the backup.HMAC signed, including retry logic.

  • 7 event types: alert.created, alert.critical, incident.created/resolved, auto_mode.blocked_ip, correlation.detected
  • HMAC-SHA256 signature: Client recognizes fraudulent requests — payload integrity guaranteed
  • Automatic retry: 1s → 5s → 30s exponential backoff — no loss on temporary network failure
  • Test shipping + delivery log: "Did he come or not?" no questions — all essays are in audit
🪝 Webhook Payload signed 
POST https://hooks.slack.com/...
X-OxiSec-Signature: sha256=a8f3...
Content-Type: application/json

{
  "event": "alert.critical",
  "timestamp": "2026-05-09T08:30:00Z",
  "tenant_id": 11,
  "data": {
    "title": "SSH Brute Force",
    "severity": "critical",
    "source_ip": "203.0.113.45",
    "tenant_name": "Anadolu Energy"
  }
}
15 · v6 Platform

Live dashboard and SOC stream.

Live alert banner with SSE, MITER heatmap, world map and customizable widgets on the main panel. Rule density statistics and closure with FP on the correlation page.

  • SOC Inbox — rule + correlation alarms; Close / FP buttons
  • Live alarm stream — real-time update on dashboard and SOC
  • MITER heatmap — tactical/technical density at a glance
  • Rules wizard + backtest — preset, dry-run, correlation backtesting
  • Public A.I. reports · Live attack map
Dashboard v6● LIVE
🔴 3 new critiques· last 60 sec
🗺 World map · source country
📊 MITER heat map TA0043 intense
16 · NEW — Case & Entity Analysis

From incident to case, from IP to full timeline.

In SOC, the job is not over just because the incident is closed.casesThe module maintains SLA, assignment and audit trail.Asset TimelineCombines log, alarm and correlation for single IP or user.

  • Case life cycle — open → investigating → resolved → closed; SLA violation alert
  • Forensic bundle automatically connects to the closed case
  • Entity Timeline — Last 7 days for 203.0.113.45: log + alert + MITER on one screen
CASE-2026-0042SLA 4s
👤 Assigned by: Ayşe K. · Priority: High
🔗 3 incidents · 12 alarms connected
📎 Forensic bundle ready · signed
17 · NEW — Sigma, API & Runbook

Import community rules, connect automation outward.

Sigma YAML turns into OxiSec rule in seconds. Read alarms and run Hunt queries with REST API. The runbook catalog offers ready-made SOAR templates — step-by-step intervention flows that are different from the webhook.

  • Sigma Import — Load YAML, simulate, save (Starter+)
  • REST APIalerts:read, hunt:query scoped switches (business+)
  • Runbook catalog — MikroTik obstacle, notification, escalation templates
Sigma → OxiSecimport
title: SSH Brute Forcelogsource:product: linuxdetection:
  condition:selection→ OxiSec Connection Rule ✓
18 · NEW — SNMP & Multi-Site

Network health and branch-level visibility.

Not just logs — CPU, memory, port status from switches and routers. For MSSP and multi-branch structuresTenant Sitesand Frankfurt, Virginia and Istanbul are grouped separately; The attack map automatically reflects protected areas.

  • SNMP polling — CPU, uptime, interface up/down
  • device_offline pattern — automatic alarm when log is interrupted
  • Tenant branches — device location + branch code; MSSP customer separation
Branches3 sites
🇹🇷 TR-Center · 8 devices
🇩🇪 DE-FRA · 3 devices
🇺🇸 US-VIR · 2 devices · SNMP OK
19 · Adaptive Parser

Learn unknown log format, get promoted.

There is no separate syslog port. Unrecognized logslearnedIt accumulates in phase; Once approved from the panel, the rules become active. Once stable, it is promoted to official device type (e.g. pfsense).

  • Faz A: A.I. learning + panel metrics + approval
  • Faz B: slug upgrade + device registration — parser loads engine in ~2 min
  • Even when learning is off approved/promotion rules work (bootstrap)
learned → pfsensepromotion

1. Generic parse
2. A.I. tail (5+ log)
3. Kural learned
4. Panel approval + promotion
5. Appears in the device type list

All these features, get started for free.

No credit card required. Setup in 15 minutes, see first report the same day.

Open a Free Account See Plans