> ## Documentation Index
> Fetch the complete documentation index at: https://docs.horizonmanaged.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & SIEM

> Built-in SIEM with syslog, PCAP, and Nexie AI threat analysis; automated Microsoft 365 phishing triage; authorized vulnerability scanning with a Red Team wizard; and a single-pane security posture dashboard.

End-of-week ship, extending the [v1.14.x platform](/changelog/2026-07-01). Four
new areas round out the security stack — event collection and AI threat
analysis, automated email triage, authorized vulnerability scanning, and a
rollup posture view.

## New features

### SIEM

Built-in Security Information and Event Management. A listener auto-detects
**TLS or plain syslog on port 6514** (plus a per-tenant port), auto-parses
FortiGate key=value and RFC 3164 events, and organizes them under **sources**
and time-boxed **capture sessions** per client. Critical and high-severity
events auto-promote to alerts. Upload a **PCAP** and NEXOS CORE parses it into
conversations, DNS, HTTP, and TLS SNI, pre-flagging suspicious signals. Run
**Nexie AI threat analysis** on any capture for a 0–100 risk score, findings
(with MITRE ATT\&CK IDs), remediation plans, and before/after posture
comparison. See [SIEM](/siem/index).

### Email security

An automated phishing-triage pipeline for **Microsoft 365** mailboxes. Every
\~5 minutes NEXOS CORE pulls recent mail via Microsoft Graph, parses SPF, DKIM,
DMARC, Defender, and Inky signals, and scores each message 0–100 against a
per-client trust profile (approved senders, vendors, lookalike-domain
detection). Borderline messages get a **Claude second opinion**, and the
pipeline then allows, logs, escalates, or **quarantines** the message —
opening a helpdesk ticket automatically when a human needs to look. See
[Email security](/emailsec/index).

### Vulnerability scanning & Red Team

Authorized Metasploit-driven scans against a client's networks. Choose a
**Basic**, **Standard**, or **Comprehensive** profile (or a template from a
library of \~50), or let the **Nexie Red Team wizard** recommend one based on
industry, compliance frameworks, asset inventory, and prior findings. Scans
can run from the Metasploit host directly, or be **tunneled through an on-site
[RMM agent](/rmm/deploy-agent)** so they originate from inside a segmented or
NATed client network. Discovered hosts, services, and vulnerabilities are
recorded as findings against the client. See
[Vulnerability scanning & Red Team](/metasploit/index).

### Security posture dashboard

A single-pane rollup of a client's security health. One **Overall Security
Score (0–100)** aggregates compliance, vulnerability, endpoint, and identity
categories, alongside endpoint stats (total vs. online agents, compliance
rate) and a recent-alerts feed with inline status updates. It's a read-only
view — the scores flow from the underlying modules — so it's the fastest way
to spot what's dragging a client's posture down before diving into the source
tool. See [Security posture dashboard](/cybersec/index).

## Known limitations

* **SIEM** — **PCAP analysis requires `tshark` on the host**; without it,
  captures are marked failed. **Encrypted session export needs
  `SIEM_ENCRYPTION_KEY`** set — otherwise exports fall back to plaintext. The
  syslog TLS listener is pinned to **TLS 1.2** (a FortiOS workaround) with no
  client-certificate auth. AI analysis requires your tenant's Claude API key.
* **Email security** — **quarantine moves the message to Junk**, not full
  Defender quarantine. Ingestion is **polling (\~5 minutes)**, not real-time.
  Company matching is by sender domain, so unrecognized external senders land
  in the caution band for AI review.
* **Vulnerability scanning** — you are responsible for **authorization**;
  record the client's penetration-test scope and sign-off before running a
  scan. Requires a reachable, enabled `msfrpcd` — without it, scans fail
  immediately. Agent-tunneled targets must be IPv4 addresses or CIDR ranges.
  The Red Team wizard requires your tenant's Claude API key.
* **Posture dashboard** — **read-only aggregation**. Fix a low score at its
  source (compliance, vuln scanning, or RMM), not here. The overall score is
  a pooled ratio, so a source with a large maximum weighs more heavily — read
  it alongside the category breakdown.

Earlier [known limitations from v1.14.x](/changelog/2026-07-01#known-limitations),
[week of June 29](/changelog/2026-07-02#known-limitations), the
[Quotes, billing & contracts ship](/changelog/2026-07-02-quotes-billing#known-limitations),
the [Projects & field ship](/changelog/2026-07-03-projects-field#known-limitations),
the [Construction & bid ship](/changelog/2026-07-03-construction-bid#known-limitations),
and the [RMM & infrastructure ship](/changelog/2026-07-03-rmm-infrastructure#known-limitations)
remain unchanged.
