| Timestamp | Agent | Description | Level | MITRE | Details |
|---|
| Timestamp | Agent | Rule | Level | MITRE |
|---|
Alert History
Historical alert data with filtering, time range selection, and export capabilities.
Active Investigations
Asset Inventory
Complete asset register with ownership, classification, and risk assessment.
Managed Devices
All devices under management with configuration status and compliance data.
| Server Name | IP Address | Operating System | Agent Version | Status | Alerts | Last Seen |
|---|---|---|---|---|---|---|
| Loading servers... | ||||||
Cloud Resources
Multi-cloud asset management including AWS, Azure, and GCP resources.
Security Reports
Generate professional reports for executive summaries, compliance audits, and technical deep dives. All reports are tenant-aware and pull live data from your connected Elasticsearch backends.
📈 Executive Summary Report
Select a period and click Generate Report to create an executive summary with live data from the platform.
📋 Compliance Report
Select a compliance framework and period to generate a compliance posture report based on your SOC controls and evidence.
🔍 Technical Deep Dive Report
Select a focus area and time range for a detailed technical analysis with raw data, trends, and forensic-level detail.
Operational Metrics
SOC performance metrics: MTTR, detection rates, ticket volume, and analyst productivity.
Trends
Security trend analysis with historical data visualization and forecasting.
Export Reports
Generate detailed reports from live SOC data, export in multiple formats, and send directly via email to stakeholders. All reports include live metrics from your connected Elasticsearch backends.
📦
Export Report Generator
Select a report type, configure the time period and format, then click Generate Report to build your export. You can download the report or send it via email.
OrelMSOC Platform User Guide
A comprehensive walkthrough of the Managed Security Operations Center platform — from navigation to incident response workflows.
1. Platform Overview
▶OrelMSOC is a unified Security Operations platform that integrates Wazuh SIEM, Threat Intelligence, and a built-in Ticketing System under a single dashboard. It provides SOC analysts with real-time visibility into security events, endpoints, vulnerabilities, and incident response workflows.
2. Getting Started
▶Logging In
Selecting a Tenant
3. Navigation Guide
▶The left sidebar organizes the platform into logical sections. Click any item to navigate.
| Section | Pages | Description |
|---|---|---|
| Home | Overview, Live Status, Analyst Dashboard | High-level metrics, real-time system status, and threat map |
| Monitoring | Device Monitoring, Network Monitoring, Endpoint Status, Service Availability | Detailed monitoring of endpoints, network health, and service uptime |
| Alerts | Active Alerts, Critical Alerts, Alert History | Wazuh security alerts with filtering, escalation, and ticketing |
| Threat | Threat Hunting, Threat Intelligence | Proactive threat searches and IOC lookups |
| Incidents | Open Incidents, Investigations, Case Timeline, Resolved Incidents | Full incident lifecycle management |
| Assets | Asset Inventory, Managed Devices, Servers, Cloud Resources | Asset tracking and inventory management |
| Analytics | Security Reports, Operational Metrics, Trends, Export Reports | Reporting and analytical tools |
| Knowledge Center | User Guide, SOPs, FAQs, Release Notes | Documentation and reference materials |
| Administration | Clients, User Management, Roles, Incident Mgmt, Integrations, Audit Logs, System Settings | Platform configuration and management |
4. Dashboard & Monitoring
▶Overview Page — Your landing page after login. Displays:
- Stat Cards — Total alerts, critical alerts, active endpoints, open incidents — all updated in real-time.
- Recent Alerts — Latest security events from the selected tenant.
- Alert Status Distribution — Visual breakdown of alert severities.
Live Status — Real-time system health with auto-refresh. Shows:
- Elasticsearch connection status
- Agent connectivity counts
- Recent alert stream
- Service availability indicators
Analyst Dashboard — Interactive threat map displaying global alert sources with geolocation.
5. Alert Management
▶Alerts are ingested from Wazuh via Elasticsearch. The platform organizes them by severity and status.
Working with Alerts:
6. Incident & Ticket Management
▶The ticketing system transforms alerts into actionable incidents with full lifecycle management.
Ticket Lifecycle:
- New — Freshly created from an alert or manually entered.
- In Progress — Being worked on by an assigned analyst.
- Resolved — Mitigated and awaiting verification.
- Closed — Finalized with closure notes.
Managing Tickets:
Investigations — Group related tickets into cases for coordinated response. Navigate to Incidents > Investigations to manage.
7. Threat Management
▶Threat Hunting — Proactively search for Indicators of Compromise (IOCs) across your environment.
- Search by IP address, domain, hash, or URL.
- Results are enriched with Threat Intelligence data.
- Create tickets directly from hunt findings.
Threat Intelligence — Centralized IOC database with reputation scoring from multiple integrated feeds.
- View all known IOCs with reputation status (Malicious, Suspicious, Safe, Unknown).
- Manually add IOCs or let the platform auto-populate from alerts.
- Each IOC includes source attribution, reputation score, and last-checked timestamp.
- IOC enrichment is powered by 8 integration modules — configure which feeds to use under Administration > Integrations.
Available Threat Intelligence Feeds:
- AlienVault OTX — Community-driven threat intelligence with pulse indicators.
- VirusTotal — Multi-engine file/URL/hash threat detection and reputation.
- AbuseIPDB — IP address blacklist and reputation scoring.
- Shodan — Device fingerprinting and exposed service intelligence.
- Blocklist.de — Crowdsourced IP blocklist for malicious hosts.
- AdGuard DNS — Domain-based threat filtering and reputation checks.
8. Client & Tenant Administration
▶Each client/tenant connects to its own Elasticsearch instance. Administrators can manage them under Administration > Clients.
Adding a Client:
Editing / Deleting Clients: Use the Edit and Delete buttons next to each client in the Clients page. Deleting removes the client configuration only — it does not affect the actual Elasticsearch data.
Client IDs & Tenant Access Control:
Each client has a unique Client ID (visible in the Clients list). These IDs are used in User Management to control which tenants a user can access:
- When creating/editing a user, the Allowed Tenants field accepts these Client IDs.
- Site Admin and Admin roles always see all tenants — the Allowed Tenants setting is ignored.
- User role: leave Allowed Tenants empty to grant access to all tenants; or select specific tenant IDs to restrict access.
- If a user's Allowed Tenants list contains tenant IDs that no longer exist, those IDs are simply ignored — the user sees only the remaining valid tenants, or none if all IDs are stale.
9. User & Role Management
▶Manage platform users and their permissions under Administration.
User Roles:
| Role | Access Level | Tenant Access | Permissions |
|---|---|---|---|
| Site Admin | Full | All tenants | All pages, user management, client config, role management (create/edit roles), system settings, audit logs |
| Admin | Full | All tenants | All pages, user management, client config, system settings, audit logs (cannot manage roles) |
| User | Standard | Assigned tenants only | Dashboards, alerts, incidents, threat hunting, endpoints, reports, settings |
How Tenant Access Works:
- Site Admin — Automatically sees all tenants. The
allowed_tenantsfield is ignored and always resolved to"*"(all). Site Admins can also manage roles and permissions. - Admin — Also sees all tenants. Same logic as Site Admin but cannot create or edit roles.
- User — Can only see tenants explicitly assigned. If
allowed_tenantsis empty ([]), the user also sees all tenants. To restrict a user, assign specific tenant IDs.
Adding a User:
Roles & Permissions: Configure page-level access in Administration > Roles & Permissions. Only Site Admin can create, edit, or delete roles.
10. Integrations & Settings
▶Integrations (Administration > Integrations) — Configure external tools and feeds. The platform uses a modular integration system that dynamically loads enabled modules. Each module has its own configuration, status indicator, and API key management.
Available Integration Modules:
- VirusTotal — File, URL, and hash threat intelligence with multi-engine malware detection.
- AlienVault OTX — Community-driven threat intelligence feeds with pulse-based IoC sharing.
- AbuseIPDB — IP address blacklist check and reputation scoring for identifying malicious hosts.
- Shodan — Internet-connected device search engine for exposed service and vulnerability intelligence.
- AdGuard DNS — Domain-based threat filtering and reputation checks (auto-enabled for DNS events).
- Blocklist.de — Crowdsourced IP blocklist — no API key required, auto-enabled for IP events.
- Slack Notifications — Real-time SOC alert delivery to Slack channels via webhook.
- Email / SMTP — Email-based alert notifications and escalation delivery via SMTP relay.
System Settings (Administration > System Settings) — Platform-wide configuration:
- Timezone — Set your preferred time display (default: Asia/Manila).
- SLA Configuration — Define response and escalation deadlines per severity.
- IR Team — Manage incident response team members and escalation tiers.
Audit Logs — All user actions are logged for compliance. View under Administration > Audit Logs.
11. Quick Reference
▶| Task | Navigation Path |
|---|---|
| View active security alerts | Alerts > Active Alerts |
| Create an incident ticket | Click any alert > Create Ticket |
| Check endpoint status | Monitoring > Endpoint Status |
| Search for IOCs | Threat > Threat Hunting |
| Configure TI feeds | Administration > Integrations |
| Add a new client | Administration > Clients > Add Client |
| Create a user account | Administration > User Management > Add User |
| Configure SLA timers | Administration > System Settings |
| View audit trail | Administration > Audit Logs |
| Switch to another tenant | Tenants dropdown (left sidebar) |
| Export a report | Analytics > Export Reports |
Standard Operating Procedures
Formal procedures for incident response, case handling, investigations, and daily SOC operations. All analysts must follow these steps for consistency and compliance.
SOP-001: Alert Triage
+Purpose: To ensure all security alerts are promptly assessed, prioritized, and assigned for action based on severity.
Severity Classification:
Procedure:
- Critical: Ransomware, data exfiltration, privilege escalation, active C2 communication, lateral movement confirmed
- High: Malware detected, brute force success, suspicious admin activity, multiple failed logins from unknown IPs
- Medium: Single failed login anomalies, policy violations, suspicious but unconfirmed behavior
- Low: Informational events, minor policy violations, false positive indicators
SOP-002: Case Initiation & Assignment
+Purpose: To establish a formal process for creating, categorizing, and assigning security cases to appropriate analysts.
When to Open a Case:
- A ticket has been escalated to Tier 2 or higher
- Multiple related alerts point to the same threat
- A confirmed incident requires coordinated response
- Client notification or formal reporting is required
Procedure:
- Tier 1: Initial triage, basic investigation, false positive clearance
- Tier 2: Deep investigation, containment, evidence collection
- Tier 3: Advanced forensics, malware analysis, threat hunting
SOP-003: Investigation & Evidence Collection
+Purpose: To provide a structured methodology for investigating security incidents and preserving evidence for analysis, reporting, and potential legal action.
Investigation Steps:
- Source and destination IP addresses
- Affected hostnames and agent IDs
- Timestamp of first and last activity
- User accounts involved
- MITRE ATT&CK technique IDs
- What was checked and the result
- IOCs found and their reputation
- Systems confirmed affected or cleared
- Timeline of events
- Screenshots or raw data excerpts
SOP-004: Containment Strategy
+Purpose: To define actions for stopping the spread of an active threat while preserving forensic evidence.
Immediate Containment Actions:
SOP-005: Remediation & Recovery
+Purpose: To remove the threat from the environment and restore normal operations securely.
Remediation Steps:
SOP-006: Escalation Procedure
+Purpose: To define when and how to escalate incidents to higher-tier analysts, management, or clients.
Escalation Triggers:
| Tier | Trigger | Escalate To | Method |
|---|---|---|---|
| Tier 1 → 2 | Unable to determine scope, confirmed compromise beyond single host, malware analysis needed | Tier 2 SOC Analyst | Ticket reassignment + Slack/Teams notification |
| Tier 2 → 3 | Advanced persistent threat, forensic analysis required, zero-day exploitation, multi-tenant breach | Tier 3 Lead / Threat Hunter | Ticket reassignment + phone call / urgent Slack |
| Technical → Management | Client-facing impact, regulatory notification required, SLA breach imminent, data loss confirmed | SOC Manager / CTO | Email + phone call + case summary |
| Management → Client | Confirmed breach, extended downtime, data compromise, formal incident notice | Client Point of Contact | Formal incident report + scheduled call |
Escalation Steps:
SOP-007: Communication Protocol
+Purpose: To ensure clear, consistent, and documented communication during incident response, both internally and with clients.
Internal Communication:
- Slack/Teams: Use the designated SOC channel for real-time coordination. Tag relevant team members using @ mentions.
- Ticket Notes: All substantive communication about the case must be recorded in the ticket notes. This creates a permanent audit trail.
- Shift Handoff: At shift change, document the current case status, pending actions, and any watch items in the ticket notes.
Client Communication:
SOP-008: Case Closure
+Purpose: To formalize the closure of security cases with complete documentation and lessons learned.
Closure Checklist:
Case Closure Checklist
Closure Steps:
- Executive summary of the incident
- Timeline of detection, investigation, containment, and remediation
- Root cause analysis
- Business impact assessment
- IOCs identified and action taken on each
- Preventive recommendations
SOP-009: Daily SOC Operations
+Purpose: To define routine daily activities that keep the SOC operational and ensure no alerts go unhandled.
Start of Shift Checklist:
SOP-010: User & Tenant Administration
+Purpose: To define procedures for creating and managing users, assigning roles, and controlling tenant access across the OrelMSOC multi-tenant platform.
User Role Definitions:
| Role | Tenant Scope | Role Management | Use Case |
|---|---|---|---|
| Site Admin | All tenants | Can create/edit/delete roles | System-wide administrator — full platform control |
| Admin | All tenants | Cannot manage roles | Tenant-wide administrator — manage users, clients, settings |
| User | Assigned tenants (or all if empty) | Read-only | Standard SOC analyst — alert triage, incidents, investigations |
Procedure A: Creating a New User
- Site Admin / Admin — The Allowed Tenants field is informational only. These roles always see all tenants.
- User — Leave blank to grant access to all tenants. Select specific tenant IDs to restrict access to those tenants only.
Procedure B: Modifying User Access
Procedure C: Managing Roles & Permissions
["*"] to grant access to all sections (default for Site Admin and Admin roles).Important Tenant Access Notes:
- Empty Allowed Tenants (JSON
[]) is treated by the login system as "*" — meaning access to all tenants. This applies to ALL roles. - Site Admin role forces
allowed_tenants = '[]'on every server startup — Site Admins always see all tenants and cannot be restricted. - To restrict a User to specific tenants, explicitly select those tenant IDs in the Allowed Tenants field. Empty = all, explicit list = only those.
- When a user logs in, the JWT token includes their tenant access list. Token refresh (re-login) is required after tenant permission changes.
SOP Reference & Quick Guide
+| SOP ID | Title | When to Use |
|---|---|---|
| SOP-001 | Alert Triage | Every time a new alert appears in the dashboard |
| SOP-002 | Case Initiation & Assignment | When a ticket needs formal case structure or multi-analyst coordination |
| SOP-003 | Investigation & Evidence Collection | When investigating any confirmed incident or suspicious activity |
| SOP-004 | Containment Strategy | When an active threat is confirmed on a host or network |
| SOP-005 | Remediation & Recovery | After the threat is contained and systems need cleanup |
| SOP-006 | Escalation Procedure | When an incident exceeds current tier capability or requires management |
| SOP-007 | Communication Protocol | Throughout the incident lifecycle for internal and client communications |
| SOP-008 | Case Closure | When remediation is verified and the case is ready to close |
| SOP-009 | Daily SOC Operations | Start of every shift and throughout the day |
| SOP-010 | User & Tenant Administration | When creating users, assigning roles, or managing tenant access |
Frequently Asked Questions
Common questions about the OrelMSOC platform — from daily operations to troubleshooting. Click a question to expand the answer.
Getting Started
General
Navigate to your OrelMSOC URL in any modern browser. Enter your Username and Password (provided by your administrator) and click Sign In. If you don't have credentials, contact your SOC manager or system administrator.
Default credentials for first-time setup: admin / orelmsoc2026 (change immediately after first login for security).
GeneralAdmin
Password reset is handled by administrators:
- Contact your SOC manager or another admin user.
- The admin goes to Administration > User Management, clicks Edit on your account, and sets a new password.
- There is currently no self-service password reset feature. This is planned for a future release.
GeneralAdmin
If the Tenants dropdown only shows "-- Select Client --" with no options:
- No clients configured: An admin needs to add clients under Administration > Clients.
- Permission restriction: Your account may not have access to any tenants. Contact an admin to check your Allowed Tenants setting in User Management.
- Session expired: Try logging out and back in. If the issue persists, clear your browser cache and hard refresh (
Ctrl+Shift+R). - Server issue: Check if the backend server is running. If you see a red connection indicator in the sidebar, the ES backend may be unreachable.
General
OrelMSOC supports the latest versions of:
- Google Chrome (recommended)
- Mozilla Firefox
- Microsoft Edge (Chromium-based)
- Opera
Internet Explorer and legacy Safari versions are not supported. The platform requires JavaScript enabled.
Alerts & Monitoring
Alerts
Active Alerts shows all incoming security alerts across all severity levels (Low to Critical) from the selected tenant.
Critical Alerts filters to show only alerts with Wazuh severity level 12 and above. These are the most dangerous events requiring immediate attention — ransomware, active C2 communication, privilege escalation, and confirmed data exfiltration.
Both pages allow ticket creation, escalation, and detailed inspection.
AlertsCases
AlertsTroubleshooting
Possible reasons:
- No tenant selected: Make sure you have selected a client from the Tenants dropdown in the left sidebar.
- ES connection down: Check the connection status indicator in the sidebar footer. Red means the Elasticsearch backend is unreachable.
- No recent alerts: The environment may not have triggered any alerts in the selected time window. Try expanding the time filter or checking a different tenant.
- Index mismatch: The client's alert index prefix may be misconfigured. Check under Administration > Clients and verify the alert index prefix matches your Wazuh ES index pattern.
- Browser cache: Try a hard refresh (
Ctrl+Shift+R) or open in an incognito window.
Alerts
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Each alert may include:
- Tactic: The high-level goal (e.g., TA0006 - Credential Access, TA0005 - Defense Evasion)
- Technique ID: The specific method used (e.g., T1110 - Brute Force, T1562 - Impair Defenses)
You can click the Case Timeline page under Incidents to view the full MITRE ATT&CK matrix mapped against your active cases. This helps identify attack patterns and coverage gaps.
Cases & Incidents
Cases
- Ticket: A single incident record created from an alert or manually. Contains all details about one specific security event.
- Case: A grouping of related tickets under a unified identifier (e.g., SOC-2026-00042). Created when multiple tickets are related to the same incident.
- Investigation: A workspace for managing a case. Here you can see all linked tickets, notes, and the overall incident timeline.
Workflow: Alert → Ticket → Link related tickets → Create Case/Investigation → Investigate → Resolve → Close.
Cases
Open the ticket from Incidents > Open Incidents. In the ticket detail view, find the Assign button or dropdown. Select the analyst you want to assign the ticket to. The ticket ownership updates immediately, and the assigned analyst will see it in their queue.
If the target analyst doesn't appear in the assignee list, make sure they have a user account in the platform and the appropriate role.
CasesSOP
The platform automatically tracks SLA deadlines based on severity:
- Critical: Response within 15 minutes, escalation at 30 minutes
- High: Response within 30 minutes, escalation at 1 hour
- Medium: Response within 4 hours, escalation at 8 hours
- Low: Response within 24 hours
When an SLA deadline is approaching, the ticket displays a warning indicator. If the deadline passes without action, the system logs an SLA breach and automatically triggers escalation notifications. Admins can configure SLA thresholds under Administration > System Settings.
Cases
Yes. Navigate to Incidents > Resolved Incidents, find the closed case, and change its status back to In Progress or New. The system preserves all original notes, evidence, and escalation history. A new audit log entry is created recording the reopening.
Reopening is appropriate when new evidence emerges or related alerts appear after closure.
Administration
Admin
Only users with the Site Admin or Admin role can create new users. Follow these steps:
- Go to Administration > User Management.
- Click Add User and fill in the form: Username, Display Name, Password, and Role.
- Available Roles: Site Admin (full access, can manage roles), Admin (full access, cannot manage roles), User (standard analyst, restricted by assigned tenants).
- Under Allowed Tenants, select which clients the user can access. Leave empty for access to all tenants (Site Admin and Admin roles always see all tenants regardless).
- Click Save. The user can now log in with their credentials.
Admin
Both roles have full access to all platform pages and features, but the key difference is role management:
- Site Admin — Can access Administration > Roles & Permissions to create, edit, and delete roles and their section-level permissions. This is the highest privilege level.
- Admin — Cannot manage roles. Can manage users, clients, integrations, settings, and audit logs, but the Roles & Permissions page is hidden.
Both roles see all tenants by default. The allowed_tenants setting is ignored for these roles.
Migration note: Existing admin users from previous versions were automatically upgraded to site_admin to preserve their existing access.
Admin
https://your-es:9200), ES Username, and ES Password.
orelmsoc-alerts) and Vulnerability Index if needed.
Admin
Go to Administration > System Settings and scroll to the SLA Configuration section. You can set:
- Response Hours — Time allowed before initial response is required
- Escalation Hours — Time before the ticket auto-escalates to the next tier
- Response Label — Display name for the response window (e.g., "15 mins", "4 hours")
- Escalation Label — Display name for the escalation window
Each severity level (Critical, High, Medium, Low) has its own SLA configuration. Changes take effect immediately for all new tickets.
Admin
The platform includes 8 integration modules under Administration > Integrations:
- VirusTotal — Requires a VirusTotal API key. Used for file, URL, and hash reputation checks.
- AlienVault OTX — Requires an OTX API key. Community threat intelligence pulse feeds.
- AbuseIPDB — Requires an AbuseIPDB API key. IP blacklist and reputation scoring.
- Shodan — Requires a Shodan API key. Device fingerprinting and service exposure data.
- AdGuard DNS — Toggle on/off. No API key needed — auto-enabled for DNS events.
- Blocklist.de — Toggle on/off. No API key needed — auto-enabled for IP events.
- Slack — Requires a Slack incoming webhook URL for channel delivery.
- SMTP — Requires SMTP server host, port, username, and password for email notifications.
Each module shows its status (green = configured, yellow = untested, red = not configured). API keys are stored encrypted. Toggle modules on/off anytime.
Admin
Yes. Deleting a client from Administration > Clients only removes the connection configuration from the OrelMSOC platform (ES URL, credentials, index settings). It does not delete or modify any data in the client's Elasticsearch instance.
If you need to reconnect the client later, you can add them again with the same credentials. All historical alert data remains intact on their ES backend.
Troubleshooting
Troubleshooting
- Check the Tenants dropdown — Make sure a client is selected.
- Check connection status — Look at the bottom of the sidebar. Green = connected, Red = unreachable.
- Test the connection — Go to Administration > Clients and click Test Connection next to the affected client.
- Verify ES credentials — The ES URL, username, or password may have changed. Edit the client to update them.
- Check if the ES server is running — The issue may be on the Elasticsearch side, not the platform.
- Restart the platform — If all else fails, try restarting the OrelMSOC backend service.
Troubleshooting
This typically means one of the following:
- No clients configured: An administrator needs to add clients under Administration > Clients first.
- Browser cache: The page may be loading an old cached version. Perform a hard refresh (
Ctrl+Shift+R) or clear your browser cache. - Session token expired: Log out and log back in. If the page was restored from a previous session but the token expired, the dropdown may appear empty.
- Permission restriction: Your account may have Allowed Tenants set but no matching clients. Contact your admin.
Quick fix: Open an incognito/private window and navigate to the platform URL. If clients appear there, the issue is definitely browser cache.
Troubleshooting
This is most often a browser caching issue. The OrelMSOC platform uses no-cache headers now, but if you loaded the page before those headers were added, your browser may still serve an old cached version.
Solutions (in order):
- Hard refresh:
Ctrl+Shift+R(Windows/Linux) orCmd+Shift+R(Mac) - Open DevTools (
F12), go to Network tab, check "Disable cache", then refresh - Clear all site data: DevTools > Application tab > Clear site data
- Try an incognito/private window
- Clear your browser cache completely: Settings > Privacy & Security > Clear browsing data
Troubleshooting
Check your timezone setting:
- Go to Administration > System Settings.
- Find the Timezone setting. The default is Asia/Manila (UTC+8).
- Select your correct timezone and save.
Note: Timestamps in alert data come directly from Elasticsearch and are displayed in the configured timezone. Raw event timestamps in UTC are also available in the alert detail view.
No matching questions found.
Try different keywords or browse the categories above.
Release Notes
Version history, changelog, and feature updates for the OrelMSOC platform.
| Username | Display Name | Role | Actions |
|---|
How incoming alerts are classified and routed through the incident workflow.
Delete all open incidents and reset the case ID sequence back to SOC-{year}-00001. Closed/resolved incidents are preserved. This action cannot be undone.
Connection Info
Each client connects via Elasticsearch on port 9200. Configure credentials and index patterns for multi-tenant monitoring.
System Configuration
Timezone Setting
SLA Configuration
Loading SLA config...
Incident Response Team
Loading team members...