Network · firewall · router · switch
| Vendor | Transport | Quality | Notes |
|---|
| Fortinet FortiGate | syslog kvp + REST | HIGH | Traffic, IPS, AV, login, SD-WAN. SOAR active. |
| Sophos XG / SG | syslog (device="SFW") | HIGH | Firewall, IDP, AV, web/app filter, VPN |
| Mikrotik RouterOS | syslog topics | MEDIUM | Login, firewall, DHCP, IPSec/VPN |
| Cisco IOS | syslog %F-N-MNEMONIC | HIGH | ACL deny, login, lockout, link/lineproto |
| Generic CEF | syslog CEF | MEDIUM | Vendor-agnostic CEF parser |
| Generic syslog | raw | LOW | Keyword fallback (denied/blocked/exploit) |
Identity
| Vendor | Transport | Quality | Notes |
|---|
| Microsoft AD (on-prem) | WinRM + Event Log | HIGH | 4624/4625/4720/4728/4768 · privileged user · baselines |
| Microsoft 365 / Entra ID | Graph API (app-only) | HIGH | Sign-in logs, audit, security alerts, Defender |
Server + virtualization
| Vendor | Transport | Quality |
|---|
| Microsoft Windows Server | WinRM/WMI Event Log | MED-HIGH |
| Microsoft SQL Server | Direct SQL (TDS) | MEDIUM |
| VMware vSphere / vCenter | vSphere REST API | MEDIUM |
| HP iLO | SNMP poll | MEDIUM |
Storage / endpoint
| Vendor | Quality | Notes |
|---|
| QNAP / Synology NAS | LOW | TCP probe (live/offline) · enriched by syslog forwarding |
| Hikvision NVR | LOW | TCP probe |
| Generic AV/EDR (syslog) | LOW | "malware/virus/trojan" → MALWARE_DETECT |
Cloud surface
| Source | Transport | Notes |
|---|
| Public website | HTTPS + DNS | SSL expiry, redirect, response time |
| Mail provider DNS | DNS MX/SPF/DKIM/DMARC | SPF/DKIM/DMARC presence + alignment |
| Microsoft 365 / Entra ID | Graph API (app-only) | Tenant probe, Intune/Entra device sync (max 1000) |
Discovery probes (pre-credential)
| Endpoint | Input | Output |
|---|
/discovery/mx-lookup | domain | MX → mail provider (M365 / Workspace / Yandex / Zoho / on-prem) |
/discovery/website-lookup | domain | A record + TLS certificate + hosting hint (CF / AWS / Azure / GCP) |
/discovery/m365/probe | tenant_id + app cred | Tenant validate, permission matrix |
/discovery/m365/devices | tenant_device_id | Intune/Entra device inventory dump (≤ 1000) |
Used in the onboarding wizard — the moment the customer enters their domain, the mail and web surface are discovered without exposing credentials, so the demo populates. Nothing sensitive is sent; only public DNS and certificate hashes.
Threat intelligence
| Source | Refresh | Use |
|---|
| Tor exit nodes | 1 hour | Outbound/inbound IP match → KNOWN_BAD_IP |
| FireHOL Level 1 | 1 hour | Aggressive blocklist |
| Spamhaus DROP | 1 hour | Bulk netblocks (CIDR) |
| USOM / TR-CERT | 6 hours | Türkiye national IP/URL blocklist |
| Abuse.ch FeodoTracker | 6 hours | Active botnet C2: Emotet, Dridex, TrickBot, QakBot, IcedID |
Five public OSINT sources, refreshed atomic-swap each round — if one fails, IP/CIDRs from the others stay live. The new Settings → Threat Intelligence page shows IP/CIDR counts per source, last sync, and a "Refresh now" button (admin role).
Active response (SOAR)
| Action | Vendor | Scope |
|---|
| Block public IP at firewall | Fortinet FortiGate (REST API → address group) | Public non-RFC1918 IP |
| Quarantine internal IP | Fortinet FortiGate (REST API → address group) | Private IP (10.x, 172.16.x, 192.168.x) |
"Block IP" stops the attacker at the outer perimeter; "Quarantine" isolates a compromised internal device from the network. Both run via the same address-group manipulation; only the target IP validation and action_scope field differ. Audit log + soar_actions append-only, auto-expire default 60 min.
Notification channels
When the correlation engine produces a composite event, ShamashAi pushes a message to the configured channels in parallel. Three channels are on by default; each can have its own severity filter (e.g. WhatsApp only on critical, email high and above, browser push everything).
| Channel | Transport | Target | Notes |
|---|
| Mail (SMTP) | SMTP / SMTPS · STARTTLS | IT manager · CISO · distribution list | HTML + plain text. Event detail, MITRE chip, "investigate" CTA. Per-rule severity threshold. |
| Mail-enabled alert (Microsoft 365) | Graph API · sendMail | Tenant mailbox | For when SMTP relay is unavailable. App-only auth, send quota tenant-bound. |
| Browser push (Web Push) | VAPID · Service Worker | IT manager's browser | Works even without PWA install. Only after subscription. Severity ≥ low. |
| WhatsApp (Meta Cloud API) | WhatsApp Business · template message | On-call mobile number | Approved template (TR/EN). Only on critical + manual "escalate" actions. The one channel built for waking up the on-call at 03:00. |
| Webhook (generic) | HTTPS POST · JSON | Slack · Teams · custom | HMAC-signed, retry queue, dead-letter queue. |
All channels are toggled on/off from the notifications page. For each channel you can define who gets what (severity + module + site filter), quiet hours (off-hours suppression), and rate-limit (e.g. 1 WhatsApp per minute). Audit log writes a NOTIFICATION_SENT row for every send.
Compliance pack
| Framework | Controls evidenced |
|---|
| ISO/IEC 27001:2022 Annex A | 19 controls (A.5.7, A.5.10, A.5.24-26, A.5.28, A.6.3, A.8.2, A.8.5, A.8.7-10, A.8.12, A.8.15-17, A.8.20, A.8.23) |
| KVKK Article 12 | 6 sub-articles (preventing unauthorized access, log retention, retention policy, pen-test evidence, breach notification, audit) |