Everything Your SOC Needs.
In One Platform.
From alert ingestion to case closure, Sentendra handles the entire incident lifecycle — dashboard, cases, alerts, observables, analytics, and more.
Dashboard & Notifications
Real-time overview of total cases, open and resolved cases, critical cases, and active alerts. Personal and admin-wide notification management with desktop push alerts.
Cases
Full case lifecycle: tasks, observables, email threads, attachments, comments, SLA tracking, custom fields, templates with variable substitution, soft-delete + restore. Auto-merge similar cases by hostname / rule name with configurable similarity threshold; manual merge from the case list. Activity timeline on every case. Built like a security-native Jira.
Alerts
Pull alerts from Elastic SIEM, CrowdStrike Falcon, custom HTTP sources, or push them in via webhook. Deduplicate, auto-extract observables from raw event data, triage, and promote single or bulk into cases. Per-customer hostname-field mapping, configurable lookback window and polling interval, raw alert JSON inspection, and Kibana deep-link generation for source investigation.
Triage Rules & Exclusions
Visual condition builder with 11 operators (exists, equals, contains, starts_with, ends_with, is_one_of, regex, …) and AND/OR/nested groups. Triage rules auto-classify and assign; exclusion rules suppress noise per-customer; user-acknowledged exclusions stop repeat notifications without losing the underlying detection. Priority-ordered evaluation means the right rule wins, every time.
AI Analysis & Investigation
Per-case AI classification with confidence scoring and cited evidence. Attack-chain timeline reconstruction from observables. MITRE ATT&CK auto-mapping. RAG knowledge base that grounds answers in your own runbooks and past cases. Streaming AI chat per-case and global. Scheduled auto-analysis jobs with concurrency control. Self-hosted AI on paid plans; Starter is AI-off by default with optional bring-your-own OpenAI / Anthropic key.
Collaboration & Communication
Direct, group, and case-scoped chat with reactions and typing presence. Audio/video calls with recording, in-call notes, file sharing, and per-call reactions. Social Hub with threaded posts, @mentions, and emoji reactions for cross-team knowledge sharing. Activity timeline records every privileged action on every case.
Case Email System
Send and receive emails directly within cases with full IMAP/SMTP support. Automatic email threading, multi-account configuration, email exclusion rules, reusable email templates with variables, rich text compose with attachments, and contact management. Turn inbound emails into cases automatically.
Observables & Threat Intel
30+ observable types out of the box (IPs, domains, hashes, processes, registry paths, MITRE techniques, CrowdStrike IDs, Kibana ancestors, and more) with TLP marking, free-form tags, and per-case deduplication by value hash. VirusTotal enrichment, real-time NIST CVE feed, geographic threat map visualization.
Sandbox & Malware Analysis
Submit case attachments for sandbox detonation. Pull back YARA rule matches, MITRE ATT&CK behaviour mappings, threat score, and extracted IOCs (IPs, domains, dropped files). Sandbox-derived observables are auto-linked to the originating case for one-click pivot.
Playbooks & Workflow Automation
Build and execute playbooks with customizable triggers and actions. Native n8n integration and webhooks. Automate enrichments, notifications, containment, and remediation on case and alert events.
Analytics, MTTR / MTTD & Reports
Dashboard with case and alert volume trends, status / severity distribution, and top assignees. Dedicated MTTR & MTTD analytics views with breach tracking. Per-customer branded reports (logo + colour theme) exported to PDF. Top-hosts report from Elasticsearch with rule-tag filters. Schedule reports to email on a cron.
Multi-Tenant, Customers & Fleet
Each Sentendra tenant manages unlimited customers underneath: per-customer Elasticsearch credentials, hostname-field mapping, branding, exclusion rules, SLA policy, and email config. Database-enforced isolation via Postgres FORCE ROW LEVEL SECURITY. Fleet agent registry, RBAC with custom permissions, SAML/OIDC SSO, TOTP 2FA with backup codes, and signed API keys for programmatic access.
Uptime, Audit Log & System
Continuous health checks for every connected SIEM endpoint with response-time tracking and breach notifications. Append-only audit log capturing every privileged action with actor, IP, and timestamp — exportable for ingest into your own SIEM. Email config, SLA policy editor, custom field designer, license usage tracking, in-app release notes, and field-management UI for ECS-to-case field mapping.
Case & Email Templates
Standardize incident response with case templates that pre-fill title, description, severity, assignee, custom fields, and tags using variables like {hostname} and {rule_name}. Email templates with variable substitution let analysts compose consistent notifications in one click.
Real-Time CVE Feed
Live CVE stream from the NIST National Vulnerability Database with 30-day rolling lookback, filterable by CVSS score and product. New CVEs surface in the Command Center next to active cases so analysts can pivot quickly when a fresh vulnerability lands in the wild.
Threat Map & Geo Intel
Geographic visualisation of alert origins and destinations across all your customers. Spot regional spikes, attacker infrastructure clusters, and unusual outbound destinations at a glance — all driven by the same observables you've already enriched.
AI Chat — Per-Case & Global
Ask questions about a specific case ("what does this rundll32 invocation typically indicate?") and get answers grounded in the actual case observables and your RAG knowledge base. Or open the global chatbot for general security Q&A. Token streaming over WebSocket so responses arrive as they're generated.
Field Management & Custom Schema
Map any Elasticsearch field to a Sentendra case attribute. Define custom fields (text / number / select / date) with required-flag enforcement. Per-customer hostname-field priority ordering means the same alert from different customers extracts the right host name without manual rework.
Real-Time Updates
WebSocket-pushed updates: new cases appear in everyone's list instantly, status changes reflect across browsers without refresh, sidebar counts re-render live. No polling, no stale views, no two analysts unknowingly working the same case.