24/7 monitoring of security events from multiple sources — OpenSearch indexers, external SIEMs, EDR agents and cloud logs — with automatic correlation and risk-level prioritization.
Every critical alert is processed by the integrated AI engine to identify the MITRE tactic and technique, Kill Chain phase, potential impact, and recommended remediation steps.
Automated enriched ticket creation in osTicket, Jira Service Management or ServiceNow. Every incident is documented, assigned, and traceable.
Real-time dashboard with operational metrics, SSE event feed, risk indicators, and compliance-ready audit reports.
Security sources — agents on servers and endpoints, OpenSearch indexers, external SIEMs, and cloud logs — feed events into the Normalizer. Multiple protocols are supported: REST API, syslog, webhooks, and direct OpenSearch queries.
The Normalizer converts heterogeneous events into the standard OBSIDIA schema (rule · agent · mitre · level · dedup · state · fingerprint). Each adapter is independent; adding a new source requires no changes to the core. The Poller Engine deduplicates via SHA-256 fingerprint and maintains per-cycle state.
Alerts at level ≥ 7 (configurable) are processed by the integrated AI engine for contextual analysis. It identifies the MITRE tactic and technique, the corresponding Kill Chain phase, the potential organizational impact, and generates actionable remediation recommendations.
The Dispatcher builds a ticket with a structured subject (severity · rule · agent) and a body containing: full event data, complete AI analysis, MITRE context, and recommended remediation steps.
Every event is stored in the Event Store (SQLite WAL). The SSE Dashboard pushes it to the SOC team in real time. The admin portal consolidates metrics from all clients via a 24h heartbeat.