OpenTelemetry-native for everything modern, a one-line Linux Sensor for hosts, and a Universal Webhook for the long tail of firewall, EDR, and cloud sources — where an AI writes the field mapping from a single sample event, so you're not blocked waiting on a per-vendor connector. 24 sources and channels below, from OpenTelemetry to FortiGate to PagerDuty.
OpenTelemetry (logs, metrics, traces), the Linux Sensor wrapping Grafana Alloy, Kubernetes via Helm, Docker, and Terraform to manage it all as code. Plus ten alert channels — Slack, Discord, Teams, Telegram, PagerDuty, Opsgenie, Twilio SMS/voice, email, and signed webhooks. These ship today, end to end.
Point a vendor's log push at one webhook URL. Paste a sample event; the model proposes an Elastic-Common-Schema mapping with a live preview; you approve it; from then on the transform runs deterministically — the LLM is only at config time. FortiGate and CrowdStrike formats are validated end-to-end; Palo Alto, Cisco, Cloudflare Logpush and the rest ride the same path.
OpenTelemetry-native, plus a one-line Linux Sensor that wraps Grafana Alloy.
Firewall and endpoint telemetry — normalized to ECS, fed straight into detections.
Push platform and edge logs in without standing up a collector.
Ten routing channels. One incident per fire — never a hundred.
Manage it as code, and let an agent drive the same REST surface you do.
"Native" = a first-class path that ships today. "Webhook + AI map" = ingested through the Universal Webhook with an AI-authored mapping. "Tested" = we've validated ingest from that vendor's exact format. All product names and logos are trademarks of their respective owners; their use here indicates compatibility, not endorsement or affiliation.
No per-vendor connector tax. No "integrations" SKU.