Integrations

Everything we support today.

Vendor matrix · ports it needs · parser quality · roadmap. Reference list for firewall/ ACL opening — share this page with your IT manager.

→ Inbound to the Agent

PortProtoSourcePurpose
514UDPDevicesSyslog (production)
5514UDPDevicesSyslog (dev / non-priv)
162UDPDevicesSNMP trap

→ Outbound from the Agent

DestinationPortProtoPurpose
Backend3001HTTPS/ingest, /agent/devices
DCs5985/86WinRMRemote AD Event Log
vCenter443HTTPSvSphere REST
SQL Server1433TDSSQL audit pull
SNMP devices161UDPSNMP poll
graph.microsoft.com443HTTPSM365 Graph API
Public DNS53UDPMX/SPF/DKIM/DMARC lookups

→ Inbound to the Backend

PortProtoSourcePurpose
3001HTTPSAgent + WebREST API
3000HTTPSUserWeb console (TLS reverse proxy recommended)

→ Outbound from the Backend (optional)

DestinationPortPurposeRequired
Threat Intel443Tor / FireHOL / SpamhausOptional · hourly
Anthropic API443AI advisor (incident explanation)Optional · on-demand
SMTP / M365 Graph587/443Email alertsIf enabled
Fortigate REST443SOAR — IP block (LAN internal)If SOAR enabled
Web Push (FCM/Mozilla)443Browser pushIf push enabled
License server443Heartbeat (v2)NO (v1 local validate)
In air-gap deployments all outbound can be closed. Threat intel + AI + push become disabled; core monitoring + alerting + SOAR (against on-LAN firewalls) keep running.

Network · firewall · router · switch

VendorTransportQualityNotes
Fortinet FortiGatesyslog kvp + RESTHIGHTraffic, IPS, AV, login, SD-WAN. SOAR active.
Sophos XG / SGsyslog (device="SFW")HIGHFirewall, IDP, AV, web/app filter, VPN
Mikrotik RouterOSsyslog topicsMEDIUMLogin, firewall, DHCP, IPSec/VPN
Cisco IOSsyslog %F-N-MNEMONICHIGHACL deny, login, lockout, link/lineproto
Generic CEFsyslog CEFMEDIUMVendor-agnostic CEF parser
Generic syslograwLOWKeyword fallback (denied/blocked/exploit)

Identity

VendorTransportQualityNotes
Microsoft AD (on-prem)WinRM + Event LogHIGH4624/4625/4720/4728/4768 · privileged user · baselines
Microsoft 365 / Entra IDGraph API (app-only)HIGHSign-in logs, audit, security alerts, Defender

Server + virtualization

VendorTransportQuality
Microsoft Windows ServerWinRM/WMI Event LogMED-HIGH
Microsoft SQL ServerDirect SQL (TDS)MEDIUM
VMware vSphere / vCentervSphere REST APIMEDIUM
HP iLOSNMP pollMEDIUM

Storage / endpoint

VendorQualityNotes
QNAP / Synology NASLOWTCP probe (live/offline) · enriched by syslog forwarding
Hikvision NVRLOWTCP probe
Generic AV/EDR (syslog)LOW"malware/virus/trojan" → MALWARE_DETECT

Cloud surface

SourceTransportNotes
Public websiteHTTPS + DNSSSL expiry, redirect, response time
Mail provider DNSDNS MX/SPF/DKIM/DMARCSPF/DKIM/DMARC presence + alignment
Microsoft 365 / Entra IDGraph API (app-only)Tenant probe, Intune/Entra device sync (max 1000)

Discovery probes (pre-credential)

EndpointInputOutput
/discovery/mx-lookupdomainMX → mail provider (M365 / Workspace / Yandex / Zoho / on-prem)
/discovery/website-lookupdomainA record + TLS certificate + hosting hint (CF / AWS / Azure / GCP)
/discovery/m365/probetenant_id + app credTenant validate, permission matrix
/discovery/m365/devicestenant_device_idIntune/Entra device inventory dump (≤ 1000)

Used in the onboarding wizard — the moment the customer enters their domain, the mail and web surface are discovered without exposing credentials, so the demo populates. Nothing sensitive is sent; only public DNS and certificate hashes.

Threat intelligence

SourceRefreshUse
Tor exit nodes1 hourOutbound/inbound IP match → KNOWN_BAD_IP
FireHOL Level 11 hourAggressive blocklist
Spamhaus DROP1 hourBulk netblocks (CIDR)
USOM / TR-CERT6 hoursTürkiye national IP/URL blocklist
Abuse.ch FeodoTracker6 hoursActive botnet C2: Emotet, Dridex, TrickBot, QakBot, IcedID

Five public OSINT sources, refreshed atomic-swap each round — if one fails, IP/CIDRs from the others stay live. The new Settings → Threat Intelligence page shows IP/CIDR counts per source, last sync, and a "Refresh now" button (admin role).

Active response (SOAR)

ActionVendorScope
Block public IP at firewallFortinet FortiGate (REST API → address group)Public non-RFC1918 IP
Quarantine internal IPFortinet FortiGate (REST API → address group)Private IP (10.x, 172.16.x, 192.168.x)

"Block IP" stops the attacker at the outer perimeter; "Quarantine" isolates a compromised internal device from the network. Both run via the same address-group manipulation; only the target IP validation and action_scope field differ. Audit log + soar_actions append-only, auto-expire default 60 min.

Notification channels

When the correlation engine produces a composite event, ShamashAi pushes a message to the configured channels in parallel. Three channels are on by default; each can have its own severity filter (e.g. WhatsApp only on critical, email high and above, browser push everything).

ChannelTransportTargetNotes
Mail (SMTP)SMTP / SMTPS · STARTTLSIT manager · CISO · distribution listHTML + plain text. Event detail, MITRE chip, "investigate" CTA. Per-rule severity threshold.
Mail-enabled alert (Microsoft 365)Graph API · sendMailTenant mailboxFor when SMTP relay is unavailable. App-only auth, send quota tenant-bound.
Browser push (Web Push)VAPID · Service WorkerIT manager's browserWorks even without PWA install. Only after subscription. Severity ≥ low.
WhatsApp (Meta Cloud API)WhatsApp Business · template messageOn-call mobile numberApproved template (TR/EN). Only on critical + manual "escalate" actions. The one channel built for waking up the on-call at 03:00.
Webhook (generic)HTTPS POST · JSONSlack · Teams · customHMAC-signed, retry queue, dead-letter queue.

All channels are toggled on/off from the notifications page. For each channel you can define who gets what (severity + module + site filter), quiet hours (off-hours suppression), and rate-limit (e.g. 1 WhatsApp per minute). Audit log writes a NOTIFICATION_SENT row for every send.

Compliance pack

FrameworkControls evidenced
ISO/IEC 27001:2022 Annex A19 controls (A.5.7, A.5.10, A.5.24-26, A.5.28, A.6.3, A.8.2, A.8.5, A.8.7-10, A.8.12, A.8.15-17, A.8.20, A.8.23)
KVKK Article 126 sub-articles (preventing unauthorized access, log retention, retention policy, pen-test evidence, breach notification, audit)
Event typeTrigger condition
BRUTE_FORCE_DETECTED5+ AUTH_FAIL same user/IP within 5 minutes
ALERT_RULE_FIREDUser-defined alert rule threshold exceeded
BEHAVIORAL_ANOMALYLogin deviates from learned baseline (hour/day/IP/country/device)

Shipping 2026-05 release

  • · WhatsApp critical-alert channel (Meta Cloud API)
  • · AI parser suggestion (unknown-vendor logs)
  • · AI summary language switch (Turkish default)
  • · MITRE ATT&CK chips (event & alert rule)
  • · Abuse.ch FeodoTracker threat feed
  • · Synthetic demo dataset (30-second live network)
  • · Public API reference + IT manager guide

v1.5 3–4 months

  • · Palo Alto PAN-OS
  • · Aruba ArubaOS-Switch
  • · Ubiquiti UniFi
  • · Cisco ASA
  • · Veeam Backup
  • · Acronis
  • · Sophos Endpoint
  • · Hyper-V (WMI)
  • · Linux rsyslog journal
  • · 5651 legal archive (S3/MinIO)
  • · AI parser suggestion broad-scenario testing

v2.0 6–9 months

  • · Cisco Meraki cloud
  • · FortiCloud, FortiAP, FortiSwitch
  • · Sophos Central
  • · Aruba Central
  • · Okta · Google Workspace · JumpCloud
  • · CrowdStrike Falcon
  • · SentinelOne
  • · Microsoft Defender ATP
  • · AWS GuardDuty
  • · Azure Sentinel webhook
  • · Cloudflare WAF
  • · SAML SSO (OIDC ships today)
  • · Multi-region HA

v3.0 12+ months

  • · Mobile native app
  • · Community parser marketplace
  • · SOAR-lite (Sophos, Mikrotik, Cisco)
  • · Vulnerability scanner ingest (Tenable/Qualys)
  • · CMDB sync (Lansweeper, ServiceNow)
  • · OT/SCADA (Modbus, BACnet)
  • · Medical (PACS, HL7)
  • · POS / payment terminals

Designed to run fully offline. The following components do not reach the internet:

  • Geo enrichment — MaxMind GeoLite2 embedded DB
  • License validation — Ed25519-signed JWT, public key embedded
  • Canonical schema — built-in
  • Rule engine — local DB
  • Compliance checks — built-in catalog

Features that go dark when internet is closed:

  • Threat intel feeds (manual CSV import alternative exists)
  • AI advisor (Anthropic API)
  • Web Push notifications (FCM/Mozilla)
  • License heartbeat (v2 — not in production yet)
  • Email (if SMTP/M365 lives outside)

Air-gap mode is tailored for public sector, defence, and regulators. License is list price + 40% premium.

Your vendor isn't on the list?

Custom connectors ship under the pilot SOW. 1–3 days for syslog/REST, 1 week for SDK-only integrations. One click to get in touch.