Problems It Solves

Who It Is For

Team Type	Why it fits
MSSPs	Supports scoped analyst visibility, repeatable workflows, and client-facing reporting
Enterprise SOCs	Helps centralize triage, investigations, and operational oversight
Internal Security Teams	Provides structure for incident handling without requiring a large tool stack
IR and Security Consultants	Useful for documenting cases, preserving evidence context, and demonstrating process maturity

Key Benefits

• ✓Faster alert triage with AI-assisted context and enrichment
• ✓Better analyst collaboration through structured cases, comments, and handoffs
• ✓Centralized incident workflow from ingestion to reporting
• ✓Improved auditability through status tracking, history, and controlled actions
• ✓Flexible integrations for AI, threat intel, messaging, and escalation

How It Works

Platform Features at a Glance

AlistoIR includes more than three working areas. The platform covers day-to-day SOC operations, investigation support, management visibility, administration, and security controls.

Main Operations

Feature	What prospective clients should know
Dashboard	Provides immediate operational visibility into alerts, cases, analyst activity, and system health
Alerts	Supports triage, enrichment, AI insight, and escalation decisions
Cases	Organizes investigations, evidence, comments, timelines, and resolution tracking
Tasks Template	Helps standardize investigation steps for repeatable case handling
Artifacts	Tracks observables such as IPs, domains, hashes, and other investigation pivots
Assets / CMDB	Adds business and ownership context to affected systems
Analyst Chat	Supports analyst coordination, handoffs, and team communication

Intelligence and Automation

Feature	What prospective clients should know
Playbooks	Helps standardize repeatable response actions and workflows
Threat Intel	Adds external context to indicators and suspicious activity
Threat Hunting	Supports proactive investigation and pivoting from observables
Integrations	Connects AlistoIR to AI, messaging, threat-intel, and response ecosystems

Management and Governance

Feature	What prospective clients should know
Reports	Supports stakeholder communication, management visibility, and incident documentation
SLA Tracking	Provides monitoring for response and resolution performance
Users	Supports role assignment and controlled access to platform capabilities
Custom Fields	Allows organizations to adapt case and workflow metadata to internal needs
2FA Settings	Adds an extra layer of account security for users

Common Use Cases

Use Case	How AlistoIR helps
Phishing Investigation	Track related alerts, document evidence, assign work, and produce a case report
Malware Triage	Use enrichment, AI summaries, and playbooks to speed up first response
Suspicious Login Response	Correlate alerts, escalate to a case, notify stakeholders, and preserve audit context
Endpoint Containment	Support governed response actions through approved workflows
Threat Hunting Support	Pivot from observables and track related findings in the same platform
Managed SOC Operations	Provide standardized workflows and role-based visibility across teams

Why It Is Different

• AlistoIR combines alert triage, casework, AI assistance, reporting, and integrations in one workflow.
• It is built around how analysts actually work, not just around storing alerts.
• It supports both investigation depth and operational coordination.
• It can fit internal SOCs, MSSPs, and teams that want a more guided incident response process.

Security and Governance

Control Area	Buyer-Friendly Summary
Role-Based Access	Users only see the data and actions appropriate to their responsibilities
Approval Workflows	Sensitive response actions can require oversight before execution
Audit Trail	Case activity, reporting, and operational actions remain traceable
Scoped Visibility	Analyst views can be limited by assigned scope or group

Deployment and Integration Options

• Currently supports Wazuh as the primary automated alert-ingestion source
• Supports AI-provider flexibility including cloud and local-model options
• Supports messaging and escalation channels such as Slack, Telegram, Teams, and PagerDuty
• Supports threat-intelligence workflows through services such as VirusTotal, AbuseIPDB, MISP, and OpenCTI
• Can fit different operating models, from internal security teams to MSSP environments

Frequently Asked Questions

Is AlistoIR only for Wazuh users?

AlistoIR currently supports Wazuh as its primary automated alert-ingestion source. Beyond ingestion, the platform also supports AI, threat-intelligence, notification, case-management, and workflow integrations that extend the investigation and response experience.

Can it support MSSP environments?

Yes. Scoped analyst access, structured case handling, and reporting workflows make it suitable for multi-team or service-provider operations.

Does it support approvals and governance?

Yes. The platform includes role-based access and approval-oriented workflow controls for sensitive actions.

Can AI be changed or disabled?

Yes. AlistoIR is built to work with multiple AI-provider options, including local-model workflows where supported by the environment.

Can it fit both technical analysts and decision-makers?

Yes. Analysts get investigation workflows and enrichment context, while managers and clients benefit from visibility, governance, and reporting outputs.

Planned Enhancement Areas

Area	Direction
Additional Ingestion Sources	Expand beyond the current primary ingestion path to support more alert and event sources over time
More SIEM / XDR Integrations	Broaden interoperability with external detection, telemetry, and response ecosystems
Expanded AI Workflows	Enhance AI-assisted triage, investigation support, summarization, and analyst guidance
Automation Depth	Increase approved playbook actions, workflow flexibility, and orchestration options
Reporting and Executive Views	Strengthen management dashboards, service metrics, and stakeholder-ready reporting outputs
MSSP and Multi-Team Support	Further improve scoped visibility, operational separation, and managed-service workflows
Asset and Threat Correlation	Deepen relationships between alerts, assets, observables, enrichment, and case context

Areas Being Explored

• Additional notification and escalation channels for different customer operating models
• Broader threat-intelligence connectors and ingestion options
• Deeper workflow support for cloud, identity, email, and endpoint investigations
• Improved analyst productivity features for large queues and high-volume environments
• More flexible customer-facing views for service providers and internal security leadership

Why This Matters

The roadmap reflects a simple goal: continue evolving AlistoIR from a strong operational incident-response platform into a broader security operations workspace that can support more teams, more integrations, and more mature response workflows.

Recommended Deployment Stack

Component	Guidance
Operating System	Modern Linux server deployment is recommended for production environments
Web Stack	PHP-based web server environment with HTTPS enabled
Database	MySQL or MariaDB sized for alert, case, artifact, and reporting workloads
Storage	SSD or NVMe storage is strongly recommended for alert ingestion and case operations
Background Jobs	Enable the platform's queue and scheduled processing for enrichment, AI, and workflow tasks

Baseline Infrastructure Sizing

Deployment Profile	CPU	Memory	Storage	Best Fit
Pilot / Lab	2 vCPU	4-8 GB RAM	80-120 GB SSD	Proof of concept, demos, low analyst concurrency
Small Production	4 vCPU	8-16 GB RAM	150-250 GB SSD/NVMe	Small internal SOC or early MSSP rollout
Medium Production	8 vCPU	16-32 GB RAM	300-500 GB NVMe	Multi-analyst operations with regular enrichment and reporting
High-Volume Production	16 vCPU+	32-64 GB RAM	1 TB+ NVMe	Higher event volume, heavier automation, and larger retained data sets

Estimated Capacity by Profile

These estimates assume a single-server style deployment, SSD/NVMe storage, normal case activity, and a practical alert pipeline where the upstream tooling already filters or aggregates noisy raw logs.

Profile	Estimated Alert / Event Volume	Practical Guidance
Pilot / Lab	Up to 10,000-25,000 alerts per day	Best for demos, validation, and light operational use
Small Production	About 25,000-75,000 alerts per day	Suitable for smaller teams with selective AI and enrichment workflows
Medium Production	About 75,000-200,000 alerts per day	Good fit for regular production use with multiple analysts and active integrations
High-Volume Production	200,000+ alerts per day with tuning	Plan for deeper performance tuning, retention strategy, and possible workload separation

What Affects Throughput

• Whether AI analysis runs broadly or only on selected alerts
• How many enrichment sources are called for each alert
• Alert size, artifact count, and correlation complexity
• Number of concurrent analysts using the platform
• Retention period for alerts, cases, evidence, and audit history
• Whether the database and application share the same server or are separated

Practical Best Practices

• Use upstream filtering and aggregation so AlistoIR receives investigation-grade alerts rather than every raw event
• Enable AI selectively for the most important alerts if you want higher throughput on smaller hardware
• Use SSD or NVMe storage for better database and queue performance
• Plan storage separately for evidence files if you expect large uploads or longer retention
• Reassess sizing as analyst count, integrations, and retention requirements increase

Deployment Model Overview

Model	Best Fit	What It Looks Like
Single Server	Pilot environments, demos, labs, and smaller production teams	Application, database, storage, and background processing run on one server
Separated Services	Growing internal SOC teams and early production rollouts	Application and database are split across dedicated infrastructure, with queue or scheduled processing handled in a controlled way
High Availability	Teams that need better resilience and reduced single-server risk	Multiple application nodes behind a load balancer, backed by shared data and storage services
Clustered / Scaled Deployment	Larger enterprises, MSSPs, or high-volume environments	Multiple frontends, resilient database services, dedicated workers, and shared storage coordinated as a broader platform deployment

Single Server Deployment

This is the simplest and fastest way to deploy AlistoIR. It works well for validation, small analyst teams, and environments where ease of setup is more important than redundancy.

• Recommended for proof of concept, pilot, and small-production use cases
• Lower infrastructure cost and simpler operations
• Best aligned with the sizing estimates shown in the System Requirements section
• Not ideal when strict uptime or fault tolerance is required

Separated Services Deployment

This pattern keeps the application tier and the database tier on separate infrastructure. It is often the best next step once teams outgrow a single server and want cleaner scaling for storage, performance, or backup strategy.

• Improves performance isolation between the user-facing application and database workloads
• Supports larger data retention, more analysts, and heavier reporting activity
• Allows background jobs and scheduled processing to be managed more deliberately
• Common choice for steady-state production environments that do not yet need full HA across every layer

High Availability Deployment

High availability is suitable when teams want the platform to remain reachable during node failures or maintenance windows. In this model, the application tier is scaled behind a load balancer while core services remain shared and resilient.

Area	HA Consideration
Web Nodes	Run multiple application nodes behind a load balancer
Sessions	Use sticky sessions or a shared session-storage strategy so analyst sessions remain consistent across nodes
Evidence and File Storage	Use shared storage so uploads, evidence, and generated outputs remain available to every node
Database	Use a resilient database deployment because database availability directly affects platform availability
Background Processing	Coordinate workers and scheduled jobs carefully so queue-processing activity remains controlled and predictable

This pattern can materially improve resilience, but it should be implemented as a coordinated platform architecture rather than simply adding more web servers.

Clustered or Large-Scale Deployment

For larger SOC teams, MSSP operations, or higher alert volumes, AlistoIR can be deployed as part of a broader scaled architecture. This usually means separating frontends, storage, database services, and background workers so each layer can be sized and governed appropriately.

• Best for larger retained data sets, more integrations, and heavier operational concurrency
• Allows dedicated capacity for web traffic, database activity, enrichment, AI workloads, and queue processing
• Benefits from shared storage, resilient database services, and disciplined operational monitoring
• Should be treated as an engineered deployment pattern that is validated against the customer's environment, workflows, and throughput goals

Practical Guidance

If your priority is...	Recommended starting point
Fast validation and low complexity	Start with a Single Server deployment
Cleaner production separation	Use a Separated Services deployment
Better resilience and reduced downtime risk	Adopt a High Availability architecture
Large-scale operations or MSSP growth	Plan a Clustered / Scaled Deployment with environment-specific validation

Important Design Notes

• The database remains a central dependency, so database design and availability are major factors in overall platform resilience
• Multi-node deployments should use shared storage for evidence, reports, and other operational files that must be visible across nodes
• Background jobs, queue workers, and scheduled processing should be coordinated as part of the overall deployment plan
• Capacity planning should consider not only alert volume, but also AI usage, enrichment activity, artifact growth, and analyst concurrency

Current Platform Version

Item	Value
Platform Version	2.0.0
Release Scope	Current customer-visible platform capabilities including timed IP blocking and multi-Wazuh-manager routing
History Use	Use this section to record notable product updates in future versions

Release History

Integration Categories

Category	What it adds to AlistoIR
AI Providers	AI-assisted triage, investigation support, alert interpretation, and analyst guidance
Threat Intelligence	Reputation checks, IOC enrichment, and external intelligence lookups
Notifications	Team alerts, collaboration updates, and escalation messaging
Response & Automation	Playbooks, webhook-based workflows, controlled ingestion paths, governed response actions, and endpoint block approvals

Supported AI Providers

Provider	How AlistoIR uses it
OpenAI	AI insight generation, alert explanation, and analyst assistance workflows
Claude / Anthropic	Alternate AI provider for investigation support and workflow assistance
Ollama / Local AI	Local-model option for teams that prefer self-hosted AI workflows
DeepSeek	Additional AI-provider option for supported AlistoIR AI workflows

AI capabilities in AlistoIR include AI Insight, the AI Investigation Assistant, and other AI-assisted analyst workflows. AI output is designed for decision support and should always be validated by an analyst.

Threat Intelligence Integrations

Integration	Primary Use
VirusTotal	Hash, IP, domain, and URL reputation enrichment
AbuseIPDB	IP reputation checks and abuse-score context
MISP	Threat-intelligence lookup and IOC import workflows
OpenCTI	Indicator import into local intelligence and IOC workflows

These integrations help populate alert and case context so analysts can review evidence, enrichment scores, and external references without leaving the platform.

Notification and Escalation Integrations

Integration	Purpose
Slack	Security notifications and team coordination messages
Telegram	Bot-based alerting and mobile-friendly notification delivery
Microsoft Teams	Channel notifications for operational awareness and escalations
PagerDuty	Incident escalation for urgent or high-impact events

Response and Automation Integrations

Integration	Role in the system
Wazuh Native Integration	Current primary automated alert-ingestion path into AlistoIR for triage, case creation, and response workflows
Webhooks	Connects AlistoIR playbooks to approved external systems and services
Wazuh Active Response	Supports governed endpoint response actions, including timed IP blocking through approved workflows
Wazuh Manager Registry	Routes agent status lookups and response actions to the correct Wazuh Manager in multi-manager deployments

Where You See These Features

• Alerts: AI Insight, enrichment, reputation context, and investigation pivots
• Cases: Analyst workflows, evidence handling, reporting, and linked intelligence
• Playbooks: Notifications, webhooks, and approved automated response steps
• Dashboard: System and integration health visibility

KPI Cards

The top row shows six health indicators. Each one measures a different dimension of SOC activity.

Card	What it shows	When to act
Open Cases	Cases not yet Closed or False Positive	High count relative to analyst capacity
Active Alerts	Alerts not dismissed, closed, or false positive	Growing count means queue review needed
Alerts Today	Alerts ingested today	Spike vs. previous day may signal an incident
Unenriched Alerts	Alerts still waiting for enrichment	Open the alert queue and run enrichment for pending items
MTTD	Average hours from alert creation to case linkage	High MTTD = alerts sitting too long before investigation
Conversion Rate	% of alerts linked to a case (last 7 days)	Low rate = analysts dismissing without escalating

Alert Trend Chart

A 7-day stacked bar chart of alert counts grouped by severity.

Color	Severity
Red	Critical
Yellow	High
Blue	Medium
Green	Low

Top Triggered Rules

Top 10 detection rules by alert count in the last 7 days. Use this to identify noisy rules needing tuning, or recurring patterns that should become investigation playbooks.

Recent IOC Match Feed

The last 8 IOC matches across all alert traffic. Use it to confirm enrichment is running and quickly follow up on fresh threat intelligence hits before the queue reaches them.

Priority Response

Open cases with no assigned analyst. Cases are color-coded by age:

Badge	Meaning
🔥 Red	Older than 48 hours - SLA breach risk
⏰ Yellow	Older than 24 hours - needs attention soon
No badge	Less than 24 hours old - normal state

Source Hotspots

Top countries by alert volume based on source IP. Click any country row to open a modal showing all alerts from that country in the last 30 days - including rule description, severity, status, IPs, and timestamp.

System Status

Health of connected services and platform integrations. Each integration shows Online, Degraded, or Offline. Check this at the start of an incident response to confirm the platform is ready for use.

Refresh Cadence

Section	Refresh
KPI cards, charts, rules, IOC feed, System Status	Live (page load)
Priority Response, Source Hotspots	Auto-refresh every 10 seconds

1. Open the Alert Queue

Go to Alerts from the sidebar. Use filters to narrow the queue before reviewing individual alerts:

• Filter by Status - start with New
• Prioritize Critical and High severity first
• Filter by source, date range, or agent group as needed

2. Review Alert Details

Open the alert detail page. Work through these fields in order:

3. Enrich and Validate

• Single alert enrichment - use the IOC Enrich action on the alert detail page.
• Bulk enrichment - use the batch enrichment option from the Alerts module when multiple items need to be processed.
• Use enrichment results to support your decision, not replace it.

4. Update Status with a Reason

Always add a short analyst reason when changing status so later reviewers understand the decision.

Action	When to use
Mark Reviewed	Reviewed, no escalation needed
Mark Escalated	Escalated to Tier 2 or case-linked
Mark Dismissed	False positive or confirmed benign - requires a reason
Mark New	Reset to new for re-triage

5. Link or Escalate to a Case

• Use Link to Case if a related investigation already exists.
• Use Create New Case from this Alert if a new investigation is needed.
• Suggested duplicate cases are recommendations only - the analyst always decides.

Quick Checklist

• ✓Validate the alert using the readable summary and raw JSON.
• ✓Run enrichment if IOC data is missing or stale.
• ✓Record a clear reason for every status change.
• ✓Escalate or link to a case for anything that cannot be safely dismissed.

1. Open or Find a Case

Go to Cases from the sidebar. Filter by status, date, assigned analyst, or severity. Cases may already be linked from alerts or auto-created by playbooks.

2. Review the Case Overview

Before changing anything, review the full context:

• Case header, severity, priority, and SLA status
• Assigned analyst and linked alerts
• Artifacts, comments, evidence files, and timeline
• Suggested matching alerts (review before linking)

3. Templates and Tasks

When a case is created from an alert, the system may suggest a case template with pre-defined investigation tasks. Some rules can also add tasks automatically. Keep the suggested template only if it fits the actual incident type.

4. Evidence and Comments

• Upload screenshots, PDFs, and other allowed file types in the evidence section.
• Add comments and use @mentions to notify the right analyst.
• Keep evidence inside the case for better auditability and audit trail completeness.

5. AI and MITRE Support

6. Update or Close the Case

Status	Meaning
In Progress	Investigation underway
Pending	Waiting on information or external action
Closed	Fully resolved and documented
False Positive	Confirmed not a real incident

Always record the correct resolution type and add final notes before closure.

7. Case Reports

Use Generate Report to produce a PDF case report. Available to Manager and Admin roles. The report includes:

1. Cover Page
2. Overview (status, severity, priority, TLP, verdict, SLA)
3. Custom Fields
4. Business Impact & SLA Metrics
5. Observable Summary & Affected Assets
6. MITRE Techniques
7. Linked Alerts and Artifacts (with VirusTotal/AbuseIPDB scores)
8. Evidence Files & Investigation Tasks
9. Analyst Comments (up to 30 entries)
10. Case History / Audit Trail (up to 40 entries)
11. AI Security Insight

Quick Checklist

• ✓Review the full case context before making changes.
• ✓Add evidence and investigation notes as you work.
• ✓Correlate alerts, observables, and enrichment data.
• ✓Close the case only after the resolution is clearly documented.

1. Create a Playbook

Open Playbooks from the sidebar to create reusable response workflows. Creation and editing are limited to authorized roles.

Each playbook should have a clear purpose, an appropriate trigger, and a sequence of actions that analysts can understand and review before use.

2. Supported Actions

Action Type	Purpose
Notification	Notify users or teams when a response step needs attention
Alert and case updates	Update statuses, add notes, and keep investigations organized
Evidence handling	Add observables and supporting context to an investigation
Assignment and routing	Send work to the right analyst or team
External integrations	Coordinate with approved external systems when needed
Response actions	Run approved containment or remediation steps under governance controls

3. Conditional Steps

Conditional steps let a playbook behave differently depending on the alert or case context. Use them to keep workflows targeted and avoid unnecessary actions.

Operator	Meaning
equals	Exact match (case-insensitive)
not_equals	Does not match
in	Value is in a list
contains	String contains substring
empty / not_empty	Field is blank / has a value
greater_than / less_than	Numeric comparisons

4. Webhook Action

Webhook-based steps can connect AlistoIR to approved ticketing, messaging, or service platforms. Public documentation intentionally omits implementation details and credentials handling.

5. Available Placeholders

Playbooks can reference approved alert, case, and asset fields from the current context. The exact placeholder catalog is kept in internal administrator documentation.

6. Scheduled Execution

Some playbooks can be scheduled to run automatically at approved intervals. Scheduling setup and infrastructure details are maintained in private deployment documentation.

Interval	Period
hourly	Every hour
every_6h	Every 6 hours
daily	Every 24 hours
weekly	Every 7 days

7. Approval Workflow

Common Mistakes

• Keep each playbook focused on one response goal
• Review step order carefully before activation
• Test new playbooks in a controlled environment before wider use
• Use approval gates for any action with operational impact

1. Prepare the Ingest Endpoint

Before enabling the integration, confirm that the AlistoIR environment is ready to receive alerts and that your integration settings have been configured by an authorized administrator.

Response	Meaning
Reachable	The AlistoIR ingest service is available to the integration source
Restricted	The service is online but requires valid integration settings or authorization
Unavailable	The integration path is not currently reachable and needs administrator review

2. Deploy the Native Integration

Deployment should follow your organization's internal integration runbook. Public documentation does not include server paths, service accounts, file permissions, or installation commands.

3. Configure the Integration

Configuration should be completed only by authorized personnel using the private deployment guide and approved environment-specific settings.

Multi-Manager Routing

AlistoIR can operate with more than one Wazuh Manager when responder endpoints are mapped to a manager key. This allows status checks and endpoint-response actions to be routed to the correct Wazuh API target instead of relying on a single global manager connection.

Endpoint Blocking

AlistoIR supports governed IP-block request workflows through Wazuh Active Response. Timed blocking can be requested from alert, artifact, and blocked-IP views and approved according to role-based workflow rules. Public documentation intentionally omits environment-specific command, timeout, and deployment values.

4. Test the Integration

5. Troubleshooting

Common Failure Causes

Symptom	Likely Cause	Fix
Connection refused	The source cannot reach AlistoIR	Ask an administrator to verify network and service availability
Authorization error	Integration settings do not match the approved configuration	Re-check the secure integration setup with an authorized administrator
Validation error	The incoming alert format is not accepted	Review the integration format and mapping in the private deployment guide
Alert not visible in AlistoIR	Filtering or routing rules prevented ingestion	Review scope and routing settings with the integration owner
Delayed ingestion	Upstream or downstream processing is under load	Check platform health and retry after the queue stabilizes
Block request stays pending	The target Wazuh Manager does not have the expected active-response configuration or endpoint mapping	Review the manager mapping, timed active-response setup, and target endpoint registration

6. Trusted Proxy Configuration

Role Overview

Role	Primary Responsibility
Tier 1	Alert validation, enrichment, and escalation
Tier 2	Deep investigation, case correlation, and closure
Manager	Oversight, reporting, approvals, and workflow governance
Admin	System administration, access control, and platform governance

Tier 1 - Alert Analyst

Can do

• View and filter the alert queue
• Run IOC enrichment on individual alerts
• Change alert status (with reason)
• Escalate alerts to Tier 2 or link to a case
• View dashboard and artifact data

Cannot do

• Create or edit playbooks
• Run sensitive response actions without approval
• Generate case reports
• Manage users or platform configuration

Tier 2 - Senior Analyst

Can do (in addition to Tier 1)

• Take full ownership of case investigations
• Correlate evidence, artifacts, and IOC matches
• Close and resolve cases with resolution type
• Run approved manual playbooks if allowed
• Access threat hunting and CMDB modules

Still cannot do

• Run sensitive response actions without approval
• Generate case reports unless granted the required role access
• Create or edit playbooks

Manager

Can do (in addition to Tier 2)

• Create, edit, and delete playbooks
• Approve or reject sensitive response requests
• Generate and download case reports
• View SLA oversight, queue monitoring, and analytics
• Manage integration settings

Admin

Full platform access including:

• User management - create, edit, lock, unlock accounts
• Agent group configuration and analyst scope assignment
• Platform-wide settings and secure system administration
• All Manager capabilities

Agent Group Scoping

1. Start of Shift

2. Work the Alert Queue

1. Go to Alerts. Filter by Status = New.
2. Start with Critical and High severity.
3. Use the readable summary first, then confirm with raw JSON if needed.
4. Pay attention to: severity, risk score, source/destination fields, hostname, user, MITRE mapping, and linked artifacts.

Alert detail checklist

• ✓Confirm what triggered the rule.
• ✓Review AI Insight for summary and suggested next actions.
• ✓Check IOC enrichment status and matched values.
• ✓Review CMDB/Asset context if available.
• ✓Use hunt pivots for source IP, destination IP, hostname, or hash.
• ✓Add a clear note before changing status.

3. Using AI Correctly

• Use AI Insight to understand the alert quickly.
• Use the alert chatbot to ask about similar alerts, MITRE explanation, or related IPs.
• Analysts still decide: dismiss, escalate, link to a case, or investigate further.

4. When to Escalate to a Case

• The alert cannot be safely dismissed at Tier 1
• Multiple related alerts or affected hosts
• IOC matches, high risk score, or significant business context
• Activity suggests persistence, lateral movement, credential abuse, or confirmed malware

5. Threat Hunting Pivots

Use Threat Hunting to pivot from any observable and find related activity:

Pivot Type	Good hunt goal
Source / Destination IP	Did this IP touch other assets?
Hostname	Other alerts on the same endpoint?
Username	Credential abuse or account takeover pattern?
Hash	Same file seen on other hosts?
Process name	Lateral movement or persistence technique?

6. End of Shift

• ✓Update all alert and case statuses accurately.
• ✓Leave clear notes for anything being handed off.
• ✓Ensure high-risk work is escalated, assigned, or explicitly transferred.
• ✓Check the dashboard again before logging off.

Quick Rules

1. Plan Overview

All plans run on a monthly billing cycle. Usage counters (alerts, cases, API calls) reset to zero at the start of each new billing period. Unused quota does not roll over to the next month.

Feature	Starter	Professional	Business	Enterprise
Alert ingestion / month	1,000	10,000	50,000	Unlimited
Analyst seats	3	10	30	Unlimited
Wazuh managers	1	2	5	Unlimited
Ingest API keys	1	2	10	Unlimited
Storage	500 MB	5 GB	20 GB	Unlimited
AI integration	✗	✓	✓	✓
Playbooks	✗	✓	✓	✓
Threat hunting	✗	✓	✓	✓
Custom TI API keys	✗	✓	✓	✓
Bring your own Wazuh	✗	✓	✓	✓
SLA monitoring	✗	✗	✓	✓
Advanced reports	✗	✗	✓	✓
White-label branding	✗	✗	✗	✓
Trial period	30 days free — full Starter access, no card required

2. Starter Plan

Designed for small teams or organisations that are just beginning to build a structured incident response practice. Gives full access to the core investigation and triage workflow without optional advanced modules.

What's included

• ✓1,000 alerts per month — alerts ingested via Wazuh or the REST ingest API. Counter resets on the first day of each billing period.
• ✓3 analyst seats — any combination of Viewer, Analyst, Tier-2, or Manager roles up to the seat cap. The Tenant Admin account does not consume a seat.
• ✓1 Wazuh manager connection — connect a single Wazuh API endpoint to route alerts and dispatch active responses.
• ✓1 ingest API key — for sending alerts from non-Wazuh sources to the platform REST API.
• ✓500 MB storage — covers case evidence uploads, chat attachments, and exported reports.
• ✓Alert triage & enrichment — manual and batch enrichment via built-in shared threat intel sources (VirusTotal, AbuseIPDB, MalwareBazaar, and others).
• ✓Case management — unlimited cases, evidence, timelines, tasks, comments, and analyst assignment.
• ✓Analyst Chat — real-time SOC chat with public channels, file sharing, @mentions, reactions, and message search.
• ✓IOC management — create, import, and match indicators of compromise against ingested alerts and artifacts.
• ✓Basic dashboard & reports — alert trends, case counts, and analyst activity summaries.
• ✓Role-based access control — viewer, analyst, tier-2, and manager roles with scoped permissions.
• ✓2FA support — optional TOTP-based two-factor authentication per user.

What's not included

• AI-powered enrichment and case analysis (requires Professional or above)
• Automated playbooks (requires Professional or above)
• Threat hunting module (requires Professional or above)
• Custom threat intel API keys — uses shared platform keys only
• SLA monitoring and breach tracking (requires Business or above)
• Advanced analytics and exported reports (requires Business or above)

3. Professional Plan

The most popular tier for active SOC teams. Unlocks AI-powered analysis, automated playbooks, threat hunting, and the ability to connect your own threat intelligence API keys — turning AlistoIR from a triage tool into a full response platform.

What's included (everything in Starter, plus)

• ✓10,000 alerts per month — 10× the Starter quota, suitable for most mid-size environments.
• ✓10 analyst seats — cover a full shift team with roles from viewer through manager.
• ✓2 Wazuh manager connections — route alerts from two separate Wazuh deployments or environments (e.g., production and staging).
• ✓2 ingest API keys — support multiple non-Wazuh alert sources concurrently.
• ✓5 GB storage — sufficient for evidence archives, exported PDFs, and chat files.
• ✓AI-powered enrichment — connect your own OpenAI, Anthropic, or local LLM API key. AI analyses alert raw JSON, generates case summaries, classifies threats, and suggests remediation steps. Each tenant's key is isolated — platform credentials are never used.
• ✓Automated playbooks — build response playbooks with condition-based branching, multi-step actions (notify, block IP, create task, escalate), and execution history. Run automatically on alert match or manually from a case.
• ✓Threat hunting — pivot-driven search across ingested alerts and assets. Save and share hunting queries across your team. Schedule recurring hunts.
• ✓Custom TI API keys — supply your own VirusTotal, AbuseIPDB, Shodan, GreyNoise, AlienVault OTX, URLScan, and OpenCTI API keys. Quota and rate limits are then governed by your own account, not shared platform buckets.
• ✓Bring your own Wazuh — connect your self-hosted Wazuh manager directly with full API credentials, rather than using a shared managed connection.

4. Business Plan

Built for high-volume environments and compliance-driven organisations where every alert must be handled within a documented SLA window and leadership requires formal metrics and reporting.

What's included (everything in Professional, plus)

• ✓50,000 alerts per month — handles large enterprise or multi-site environments without quota anxiety.
• ✓30 analyst seats — support full 24×7 shift coverage across multiple analyst tiers.
• ✓5 Wazuh manager connections — connect multiple regional or department Wazuh deployments.
• ✓10 ingest API keys — accept alerts from many diverse sources simultaneously.
• ✓20 GB storage — supports long-term evidence retention and large batch report exports.
• ✓SLA monitoring & breach tracking — define response and resolution SLA targets per alert severity. Platform tracks time-to-detect, time-to-respond, and time-to-resolve. Breached SLAs are flagged in the dashboard and alert list. SLA data is included in case timelines and exported reports.
• ✓Advanced analytics & reports — full report builder with analyst productivity metrics, MTTD/MTTR breakdowns, alert volume trends by source, severity, and rule, case resolution rates, and PDF/CSV export. Suitable for management and compliance reporting.

5. Enterprise / Custom Plan

No limits. Custom contract. Everything in Business, plus white-label branding and dedicated support.

What's included (everything in Business, plus)

• ✓Unlimited alert ingestion — no monthly cap. High-throughput environments with millions of Wazuh events per day are fully supported.
• ✓Unlimited seats — no analyst seat cap. Create as many users as your team requires.
• ✓Unlimited Wazuh managers & ingest keys — connect every infrastructure zone, region, or client without limit.
• ✓Unlimited storage — evidence, exports, and chat files are not quota-gated.
• ✓White-label branding — replace the AlistoIR logo, platform name, and colour scheme with your own brand. Ideal for MSSPs presenting the platform under their own identity to clients.
• ✓Custom data retention policies — negotiated alert and case retention periods beyond platform defaults.
• ✓Dedicated onboarding & support — priority support channel, deployment assistance, and a named account contact.
• ✓Custom integrations — bespoke connectors, webhook configurations, and SIEM bridge implementations scoped to your environment.

6. Free Trial

Every new workspace starts with a 30-day free trial on the Starter plan. No credit card is required to register. During the trial, the full Starter feature set is available with the standard Starter quotas.

Trial detail	Value
Duration	30 days from registration
Plan	Starter (1,000 alerts/month, 3 seats, 500 MB)
Card required	No
Auto-converts to paid	No — trial expires; subscription must be activated manually
Data retained after expiry	Cases, alerts, and evidence are preserved. Ingestion is suspended until a plan is activated.

7. Usage & Quota Tracking

Usage is tracked per billing period in the platform's usage metrics store. You can view your current usage at any time from Profile → Subscription.

Alert ingestion counter

Every alert accepted by the platform — whether from Wazuh, the REST ingest API, or manual creation — increments the alert_count for the current billing period. The counter is checked before the alert is stored. If the limit is reached, the ingest API returns HTTP 429 and the alert is rejected.

Tracked usage metrics

Metric	What it counts
alert_count	Alerts ingested in the current billing period
case_count	Cases created in the current billing period
user_count	Active user seats (snapshot, updated hourly)
wazuh_manager_count	Connected Wazuh manager entries
ingest_key_count	Active ingest API keys
storage_total_bytes	Total storage used — evidence, chat files, exports (snapshot, updated hourly)
ti_vt_calls	VirusTotal API calls made this period
ti_abuseipdb_calls	AbuseIPDB API calls made this period
ai_request_count	AI API requests sent this period
ai_token_used	Total AI tokens consumed this period

8. What Happens at the Quota Limit

Alert ingestion limit reached

When alert_count reaches max_alerts_per_month:

• The ingest API returns HTTP 429 Too Many Requests with a JSON error message.
• Wazuh active response dispatch continues to work — only new ingestion is blocked.
• Existing alerts, cases, and enrichment are unaffected.
• The block lifts automatically on the first day of the next billing period when the counter resets.

Storage limit reached

When total storage reaches the plan maximum:

• Evidence uploads and chat file attachments are rejected with an error message.
• Existing files are not deleted — only new uploads are blocked.
• Free up space by deleting old evidence files, or upgrade to a higher plan.

Seat limit reached

When the active user count reaches max_users:

• Creating new user accounts returns an error.
• Existing users are not affected.
• Deactivating a user frees the seat immediately.

Feature not on your plan

Attempting to access a feature not included in your plan (e.g., Playbooks on Starter) returns an access-denied message with a prompt to upgrade. No data is lost — upgrading immediately unlocks the feature for all existing content.

9. Billing Cycle & Renewal

AlistoIR uses manual billing — there is no automatic card charge or auto-renewal. Each billing period is a fixed date range set by the platform administrator.

10. Upgrading Your Plan

To upgrade from one plan to another:

1. Open Profile → Subscription from the sidebar or your profile menu.
2. Click Upgrade next to the desired plan.
3. Contact the AlistoIR team (the modal provides contact details). Upgrades are applied by the platform administrator after payment confirmation.
4. Once the plan is updated, the new limits and features take effect immediately — no restart or migration is needed.

11. Feature Detail Reference

AI Integration

Available on Professional, Business, and Enterprise plans. AI features require the tenant to supply their own API key from a supported provider. The platform never uses a shared platform-level key for tenant enrichment.

AI Feature	What it does
Alert AI Insight	Analyses raw Wazuh alert JSON to explain what the rule triggered on, likely attack stage, and recommended next steps.
Case Summary	Generates a structured incident summary from linked alerts and case metadata — useful for management briefings and report drafting.
Threat Classification	Classifies the case against MITRE ATT&CK tactics and techniques based on alert content and artifacts.
Investigation Checklist	Auto-generates a context-aware investigation checklist with steps tailored to the detected threat type.
Remediation Steps	Provides severity-adjusted remediation guidance for case resolution.
Threat Hunting Techniques	Suggests targeted hunting queries and pivot points based on the active case and its indicators.
Artifact AI Enrichment	Supplements threat intel lookups with AI-generated context: threat level assessment, confidence score, and recommended action.

Supported AI providers: OpenAI (GPT-4o, GPT-4o-mini, GPT-3.5-turbo), Anthropic (Claude 3 Sonnet, Haiku, Opus), and Local LLM (Ollama-compatible — no cloud data transfer).

Playbooks

Available on Professional, Business, and Enterprise plans. Playbooks are response automation scripts that run either on alert match (automatic trigger) or manually from a case.

• Multi-step actions: notify via Slack/Teams/Telegram/PagerDuty, block an IP via Wazuh Active Response, create a case task, escalate to a manager, or call a custom webhook.
• Condition branching: steps can be conditional on alert severity, source IP range, rule ID, or asset criticality.
• Execution history: every playbook run logs each step outcome, timestamps, and any error for full auditability.
• Shared templates: playbook templates can be promoted to other tenants by platform admins.

Threat Hunting

Available on Professional, Business, and Enterprise plans. The hunting module provides a structured workspace for proactive threat searches across ingested data.

• Build queries against alerts, assets, artifacts, and custom fields.
• Save and share queries across the team.
• Link hunt findings directly to cases for seamless escalation.
• Schedule recurring hunts to run on a cron interval.

SLA Monitoring

Available on Business and Enterprise plans. SLA targets are defined per alert severity (critical, high, medium, low) and cover three stages:

Stage	Measured from	Measured to
Time to Detect (TTD)	Alert created	Alert linked to a case
Time to Respond (TTR)	Alert created	First analyst action on the case
Time to Resolve (TTRes)	Alert created	Case resolved or closed

Breached SLAs are highlighted in the alert list, the case view, and the dashboard. SLA data is included in exported case reports for compliance evidence.

Advanced Reports

Available on Business and Enterprise plans. Adds a full analytics suite beyond the basic dashboard:

• Analyst workload and productivity metrics (alerts handled, cases closed, MTTR per analyst)
• Alert source breakdown — rules, agents, severity distribution over custom date ranges
• MTTD and MTTR trend lines across weeks and months
• Case resolution rate and open/closed breakdown over time
• Threat intelligence call volumes and source utilisation
• PDF and CSV export for management and audit submission

Custom Threat Intelligence Keys

Available on Professional, Business, and Enterprise plans. Each tenant can supply their own API keys for:

• VirusTotal — file hashes, IPs, domains, URLs
• AbuseIPDB — IP reputation and abuse reports
• MalwareBazaar — malware hash database
• AlienVault OTX — open threat exchange pulses
• GreyNoise — internet noise context for IPs
• Shodan — passive host intelligence for IPs
• URLScan.io — URL and domain sandbox analysis
• OpenCTI — structured threat intelligence platform integration
• MISP — malware information sharing platform

On Starter, enrichment uses shared platform-level keys with rate-limited quotas. On Professional and above, your own keys are used so your quota is fully independent.

White-Label Branding

Available on Enterprise plans only. Allows MSSPs and large organisations to present AlistoIR under their own brand identity to their end clients.

• Custom logo in the top navigation bar and email notifications
• Custom platform name (replaces "AlistoIR Enterprise" in the UI)
• Custom colour scheme and accent colours
• Custom login page background and footer text

12. Frequently Asked Questions

Does unused alert quota carry over?

No. Each billing period starts at zero. If you used 300 of 1,000 alerts in January, you start February with a fresh 1,000 — not 1,300. Design your monitoring scope around the monthly quota, not cumulative availability.

What happens if I go over the alert limit mid-month?

New alert ingestion is blocked (HTTP 429) until the next billing period. Existing alerts, cases, enrichment, and all other platform features remain fully functional. Contact the AlistoIR team to temporarily raise your limit or upgrade your plan.

Can I add more seats without upgrading the plan?

Seat limits are fixed per plan tier. To add seats beyond your plan limit, you must upgrade to the next tier. Deactivating existing users frees seats immediately.

What happens if I cancel?

On cancellation, alert ingestion stops and no new users can be added. All existing data — alerts, cases, evidence, timelines — is preserved and remains accessible for review. Platform administrators can export data before decommissioning a workspace.

Can I switch from monthly to annual billing?

Yes. Contact the AlistoIR team. Annual contracts are available for all paid plans, typically at a discount compared to 12 individual monthly periods.

Is my data shared between tenants?

No. AlistoIR uses shared-schema multi-tenancy with strict tenant_id isolation on every table. Alerts, cases, users, playbooks, chat messages, and AI enrichment are all scoped to your workspace. No data is accessible across tenant boundaries — even for platform administrators, all cross-tenant access is logged in a break-glass audit trail.

Can I upgrade mid-period?

Yes. The new plan limits and features apply immediately. Alert usage counters are not reset mid-period — they continue from where they were and reset at the start of the next billing period against the new, higher limit.