/security/siem.
When to use it
- Centralize firewall/syslog collection for one or more client sites.
- Run a time-boxed capture window against a client, then hand the events to Nexie for a threat readout.
- Upload a PCAP from an incident for AI traffic analysis.
- Triage security alerts (critical/high events auto-promote to alerts).
- Generate and track AI remediation plans and a posture-improvement comparison.
Syslog ingestion
A listener auto-detects TLS or plain syslog on port 6514 (and a per-tenant port, default 5514). It auto-parses FortiGate key=value and BSD/RFC 3164 syslog into structured events. Define sources (each with event counts and last-seen), and run capture sessions — time-boxed collection windows, optionally scoped to specific source IPs and tagged per client. Critical and high-severity events auto-promote to the alerts feed.PCAP analysis
Upload a packet capture and NEXOS CORE parses it (via tshark) into conversations, DNS, HTTP, and TLS SNI, pre-flagging suspicious signals (known C2 ports, oversized DNS that may indicate exfiltration).Nexie AI threat analysis
Run analysis on a capture or session and Nexie returns a risk score (0–100), findings (with MITRE ATT&CK IDs where applicable), and a traffic profile. From there you can generate remediation plans (single or batch, which become Nexie security tasks) and run a posture comparison of before/after snapshots. Log retention is driven automatically by the risk score.Good to know
- PCAP analysis requires
tsharkinstalled on the host — without it, a capture is marked failed. - Encrypted session export needs
SIEM_ENCRYPTION_KEY(a 32-byte hex key) — if it’s unset, exports fall back to plaintext. - The syslog TLS listener is pinned to TLS 1.2 (a deliberate FortiOS workaround) with no client-certificate auth.
- AI analysis requires your tenant’s Claude API key.
