TECH FEATURES
π Universal Ingestion Engine
Connect to any SIEM, server, cloud, identity provider, or security device. Ingest via API pull, webhook push, syslog, SFTP file pulls, cloud buckets, folder watchers, or bulk uploads.
π Multi-Format Log Support
Parse and normalize JSON, NDJSON, CSV, Syslog, CEF, LEEF, Apache/Nginx formats, IIS W3C, and compressed bundles (ZIP/GZ) so hunts work across every environment.
𧩠Schema Normalization Layer
All incoming logs convert into one hunting schema (time, host, user, IP, domain, URL, action, outcome, severity, confidence). This enables fast cross-source correlation without custom glue.
πͺ No-Code Field Mapping Wizard
If a log format is unfamiliar, ZelKill opens a mapping wizard to bind fields to the ZelKill schema. Save mapping templates per integration and reuse them instantly.
π High-Speed Search + Full-Text Indexing
Search millions of events with fast indexes and full-text search across command lines, URLs, domains, and scripts for instant investigation pivots.
𧱠Drag-and-Drop Hunt Builder
Build hunts visually by dragging blocks into a pipeline: scope, filters, correlation, outputs, and actions. Validate, estimate, and run without writing queries.
π¦ 100+ Hunt Packs Library
A massive library of prebuilt hunts covering ransomware, brute force, web attacks, lateral movement, persistence, C2, exfiltration, identity abuse, and cloud threats. Load and run in one click.
π§Ύ ZelC Language Templates
Write intent-based ZelC scripts or choose from a large template library. Safety-check before execution, then run and produce evidence-linked outputs.
π Correlation + Sequence Hunting
Correlate by host/user/IP/domain/hash within time windows and detect sequences (Event A then Event B) to rebuild real attack chains.
π Rarity Mode + Baseline Compare
Spot first-seen and low-prevalence entities instantly. Compare current activity against historical baselines to highlight true anomalies.
πΊοΈ MITRE ATT&CK Mapping Engine
Auto-map observed behaviors to tactics and techniques, show activity heat, drill into technique evidence, and identify coverage gaps.
π¨ Ransomware War Room
Dedicated ransomware workspace with patient zero ranking, spread mapping, phase timeline (Initial Access β Impact), and containment recommendations.
πΈοΈ Threat Graph Relationship Map
Interactive entity relationship graph (IP β host β user β domain β process β hash). Click nodes for pivots, evidence, and action recommendations.
π§ Flow Map Intelligence
From-to traffic flow diagrams that reveal who talked to what, where the data moved, and which paths look abnormal.
π°οΈ Event Timeline Command Center
Hour/day/week timelines with swimlanes by host or user, phase overlays, fast filtering, and one-click conversion into case narratives.
π€ AINA Intelligence Copilot
Evidence-driven AI assistant that explains findings, suggests pivots, and drafts professional outputs. Every claim is tied to evidence IDs, never vague AI text.
π§ AINA Fractures (Specialized Modes)
Switch AINA into specialized modes like Threat Hunter, IOC Analyst, Ransomware Analyst, MITRE Mapper, Coverage Advisor, Executive Brief, and Remediation Planner.
πΉοΈ Action Broker Orchestration
Queue containment actions with approvals: block IPs/domains, isolate hosts, disable users, trigger playbooks, and track full audit trails.
π 100 Response Playbooks
Built-in playbooks with step-by-step execution for ransomware, phishing, brute force, lateral movement, persistence, C2, exfiltration, and cloud incidents.
π Evidence Locker with Hash Integrity
Every evidence item is hashed (SHA-256), chained to custody logs, and exportable as evidence packs with manifests and integrity verification.
ποΈ Case Management + Narrative Builder
Convert leads to cases, build timelines, attach evidence, assign tasks, track actions taken, and produce complete incident narratives.
π§Ύ Report Engine with Many Templates
Generate executive briefs, technical incident reports, IOC reports, MITRE reports, ransomware reports, hunt run summaries, and post-mortems with branded output.
π·οΈ Branded Report Shell + Verification Hashes
Reports include cover pages, headers/footers, classification labels, report IDs, and integrity hashes for defensible documentation.
β±οΈ Scheduled Hunts + Scheduled Reports
Run hunts automatically on a schedule, generate leads/alerts by thresholds, and produce recurring security briefings without manual work.
π Telemetry Health Dashboard
Monitor ingestion job health, parser errors, coverage gaps, and event volumes so you always know what data you have and what youβre missing.
π’ Multi-Tenant Data Isolation
Each user sees only their own events, hunts, cases, reports, evidence, and integrations, built for secure multi-user environments.
π Role-Based Access Controls
Roles for Admin, Hunter, Analyst, Auditor, and Read-only ensure sensitive actions and exports are controlled and auditable.
ποΈ Secure Secrets Storage
Integration tokens, webhook secrets, and AI keys are stored encrypted at rest with strict access controls and audit logging.
𧩠Zelfire Native Integrations
Deep native connectors for ZelAccess, ZelWall, ZelXDR, ZelSOAR, ZelScan, ZelMap, ZelPosture, Vulnerability Vines, ZelTester, ZelCloud, ZelDrift, ZelRank, ZelZero-Trust, and ZelExploits.
ποΈ Enterprise-Grade Integrations Catalog
A full integration catalog with guided configuration wizards for SIEMs, cloud logs, servers, network devices, proxies, DNS, identity providers, and email security logs.