Knowledge Base

StatusCore supports multiple monitor types. To create a monitor, click the Add Monitor button on your dashboard and select the type that fits your needs.

Monitor Types

• HTTP / HTTPS — Checks a URL and verifies it returns a successful response (2xx status code). HTTPS monitors also validate the TLS handshake.
• TCP — Opens a TCP connection to a specific host and port. Useful for databases, mail servers, game servers, or any service listening on a port.
• Ping (ICMP) — Sends an ICMP echo request to verify a host is reachable on the network. Good for monitoring servers and network devices.
• SIP — Sends a SIP OPTIONS request to a VoIP server and checks the response code. Monitors configured with SIP will treat 5xx responses as DOWN.
• Domain — Monitors domain registration expiry. StatusCore will alert you when your domain is approaching its expiration date so you never lose a domain.
• SSL Certificate — Tracks your SSL/TLS certificate expiry date and alerts you before it expires, helping you avoid downtime from an expired certificate.
• Heartbeat / Cron — Instead of StatusCore reaching out, your service pings a unique URL on a schedule. If the ping stops arriving within the expected interval, the monitor goes DOWN. Ideal for cron jobs, backup scripts, and batch processes.

Quick Steps

1. Click Add Monitor on the dashboard.
2. Choose the monitor type from the dropdown.
3. Enter a friendly name and the target (URL, hostname, or IP).
4. Optionally adjust the check interval, timeout, and alert sensitivity.
5. Click Create Monitor.

StatusCore checks your monitors from multiple geographic locations simultaneously. The overall status is determined by aggregating the results from all locations.

Status Types

• Up — All monitoring locations report the service is reachable and responding correctly.
• Down — All locations (or a threshold based on your alert sensitivity) report the service is unreachable or returning errors.
• Partial — Some locations report the service as up while others report it as down. This often indicates a regional outage, DNS propagation issue, or CDN problem.
• Flapping — A single location has experienced 3 or more status changes within 5 minutes. This usually indicates an unstable service or network path.

Multi-Location Monitoring

StatusCore monitors from three locations by default:

• US-East (Florida) — Primary location
• US-West (Oregon) — West coast coverage
• EU (Frankfurt) — European coverage

This multi-location approach reduces false positives. A single location experiencing network issues will not trigger a full DOWN alert unless your sensitivity is set to aggressive.

Alert Sensitivity

• Aggressive — Alert when any single location reports a failure.
• Balanced (default) — Alert when a majority of locations report a failure.
• Conservative — Alert only when all locations report a failure.

StatusCore can notify you through multiple channels when a monitor goes down or recovers. Configure your alert preferences in Settings.

Email Alerts

Enabled by default for all accounts. Downtime and recovery emails are sent to your account email address. Times in alert emails are displayed in your configured timezone (Settings → Timezone).

SMS Alerts

Add your phone number in Settings to receive SMS alerts for critical downtime events. SMS alerts include the monitor name, status, and affected locations.

Slack Integration

1. In your Slack workspace, create an Incoming Webhook via the Slack App Directory.
2. Copy the webhook URL (starts with https://hooks.slack.com/services/...).
3. Paste it into StatusCore Settings → Slack Webhook URL.
4. Click Save. StatusCore will send rich formatted messages with colored status indicators.

Discord Integration

1. In your Discord server, go to Server Settings → Integrations → Webhooks.
2. Create a new webhook and copy the URL.
3. Paste it into StatusCore Settings → Discord Webhook URL.
4. Click Save. Discord alerts include colored embeds with monitor details.

Custom Webhooks

Send monitor events to any HTTP endpoint. StatusCore sends a POST request with a JSON payload containing the event type, monitor details, and timestamp. See the API Documentation for the full webhook payload format.

Public status pages let you share real-time uptime information with your customers. Available on Pro plans and above.

How It Works

1. Go to Settings → Status Page.
2. Enable the public status page toggle.
3. Choose which monitors to display by toggling Public on each monitor's menu.
4. Share your status page URL: https://portal.statuscore.io/status/your-slug

Your status page displays real-time status for each public monitor, 90-day uptime history, and recent incidents with resolution times.

Enterprise plans and above can fully customize the look and feel of their public status page to match their brand identity.

Setup Steps

1. Go to Settings → Status Page Branding.
2. Enter your logo URL — a direct link to your logo image (PNG, JPG, or SVG hosted anywhere accessible via HTTPS).
3. Choose your brand color using the color picker. This color will be used for headings, links, and accents on your status page.
4. Set a custom page title (e.g., "Acme Corp System Status") that appears at the top of the page and in the browser tab.
5. Add custom footer text (e.g., your company name, support link, or legal notice).
6. (Optional) Add custom CSS for advanced styling. This CSS is injected into the status page, giving you full control over fonts, spacing, backgrounds, and more.
7. Click Save.

Point your own domain (e.g., status.yourcompany.com) to your StatusCore status page for a fully branded experience.

Setup Steps

1. Decide on a subdomain, such as status.yourcompany.com or uptime.yourcompany.com.
2. Log into your DNS provider.
3. Create a CNAME record pointing your subdomain to portal.statuscore.io.
4. Wait for DNS propagation (usually 5-15 minutes, can take up to 24 hours).
5. In StatusCore, go to Settings → Status Page Branding → Custom Domain.
6. Enter your custom domain (e.g., status.yourcompany.com) and click Save.
7. Visit your custom URL to verify everything is working.

DNS Examples

Cloudflare

1. Go to your domain in Cloudflare → DNS → Records.
2. Click Add record.
3. Type: CNAME, Name: status, Target: portal.statuscore.io
4. Set proxy status to DNS only (grey cloud) for best compatibility.
5. Click Save.

GoDaddy

1. Go to My Products → your domain → DNS.
2. Click Add New Record.
3. Type: CNAME, Name: status, Value: portal.statuscore.io, TTL: 1 Hour.
4. Click Save.

AWS Route 53

1. Go to Route 53 → Hosted Zones → your domain.
2. Click Create Record.
3. Record name: status, Record type: CNAME, Value: portal.statuscore.io
4. TTL: 300 seconds. Click Create records.

Sensors collect logs from your network and forward them to StatusCore for analysis. There are three deployment options.

Option 1: Hardware Sensor ($89)

The easiest option. Plug in ethernet and power, and the sensor self-provisions using your account credentials. No configuration needed.

1. Order a hardware sensor from your StatusCore dashboard.
2. When it arrives, connect the ethernet cable to your network.
3. Plug in the power adapter.
4. The sensor will appear in your dashboard within a few minutes.

Option 2: Linux Install

Install the sensor agent on any Linux server with a single command.

1. Go to Settings → Sensors → Deploy New Sensor.
2. Copy your tenant token.
3. Run the install command on your Linux server:

curl -sSL https://portal.statuscore.io/install-sensor.sh | sudo bash -s -- --token YOUR_TENANT_TOKEN

Option 3: Docker

Run the sensor as a Docker container.

1. Go to Settings → Sensors → Deploy New Sensor and copy your tenant token.
2. Run the Docker command:

docker run -d --name statuscore-sensor \
  --restart unless-stopped \
  -e TENANT_TOKEN=YOUR_TENANT_TOKEN \
  statuscore/sensor:latest

Getting Your Tenant Token

Navigate to Settings → Sensors → Deploy New Sensor. Your unique tenant token is displayed on the deployment page. This token links the sensor to your account.

SIEM alerts are generated when incoming log data matches a detection rule. Each alert contains details about the event, the rule that triggered it, and a severity level.

Detection Rules

Detection rules define patterns that StatusCore looks for in your log data. When a log entry matches a rule, an alert is created. Rules can match on keywords, IP addresses, event types, and more.

Severity Levels

• Low — Informational events that may warrant review. Examples: successful logins from new locations, configuration changes.
• Medium — Events that should be investigated. Examples: failed login attempts, permission denied errors, unusual traffic patterns.
• High — Events that likely require immediate action. Examples: multiple failed logins, privilege escalation attempts, malware signatures.
• Critical — Severe security events requiring urgent response. Examples: confirmed data exfiltration, ransomware indicators, active exploitation.

Alerts appear in your SIEM dashboard sorted by severity. You can filter, search, and acknowledge alerts individually or in bulk.

While StatusCore includes built-in detection rules, you can create custom rules tailored to your environment.

Manual Rule Creation

1. Navigate to SIEM → Detection Rules → Create Rule.
2. Enter a descriptive rule name (e.g., "Failed SSH from external IP").
3. Set the keyword or pattern to match in log data (e.g., "authentication failure").
4. Choose the severity level (low, medium, high, or critical).
5. Optionally add a source filter to limit the rule to specific log sources or sensors.
6. Click Save Rule.

AI Rule Builder

Describe what you want to detect in plain English, and the AI will generate a detection rule for you. For example:

• "Alert me when someone fails to log in more than 5 times"
• "Detect any PowerShell execution on Windows servers"
• "Flag outbound connections to known Tor exit nodes"

The AI generates the rule with appropriate keywords, severity, and source filters. Review and edit the generated rule before saving.

Suppression rules let you silence noisy or known-benign alerts so you can focus on real threats.

Manual Suppression

1. From any alert, click Suppress.
2. Choose what to suppress: the specific keyword, source IP, source sensor, or a combination.
3. Set a duration (1 hour, 24 hours, 7 days, or permanent).
4. Add an optional reason for the suppression.
5. Click Create Suppression Rule.

AI-Powered Suppression

StatusCore can automatically suggest suppression rules based on alert patterns. When the AI detects repeated benign alerts, it will recommend a suppression rule. You can review and approve the suggestion with one click.

Connect your Microsoft 365 tenant to monitor sign-in logs, audit events, and enable XDR response actions like disabling compromised users.

Setup Steps

1. Go to the Microsoft Entra admin center and navigate to App registrations → New registration.
2. Name the app (e.g., "StatusCore SIEM") and set the account type to Single tenant. Click Register.
3. Go to API permissions → Add a permission. Select Office 365 Management APIs and add ActivityFeed.Read (Application permission). Click Grant admin consent.
4. For XDR response actions (disable users, revoke sessions): Add Microsoft Graph → User.ReadWrite.All (Application permission) and grant admin consent.
5. Go to Certificates & secrets → New client secret. Set an expiry and click Add. Copy the VALUE (not the Secret ID) immediately — it is only shown once.
6. Note your Tenant ID and Client ID from the app's Overview page.
7. In StatusCore, go to SIEM → Integrations → Microsoft 365. Enter your Tenant ID, Client ID, and Client Secret. Click Connect.

Configure where SIEM alerts are delivered. Each channel can be tested independently to verify connectivity.

Email

SIEM alerts are sent to your account email by default. Alerts include the rule name, severity, matched log excerpt, and a direct link to the alert in your dashboard.

SMS

Receive text message notifications for high and critical severity alerts. Add your phone number in Settings. SMS alerts are concise and include the alert title and severity.

Telegram

1. Message @StatusCoreBot on Telegram to get your chat ID.
2. Enter the chat ID in SIEM → Notification Channels → Telegram.
3. Click Test to verify the connection.

Slack

1. Create an Incoming Webhook in your Slack workspace.
2. Paste the webhook URL in SIEM → Notification Channels → Slack.
3. Click Test to send a test alert.

Each channel has a Test button that sends a sample alert so you can verify delivery before relying on it in production.

StatusCore uses AI to help you understand alerts faster, create rules more easily, and reduce noise.

AI Alert Explanation

Click the Explain button on any SIEM alert to get a plain-language explanation of what happened, why it matters, and recommended next steps. The AI analyzes the raw log data, the detection rule, and the context of your environment.

AI Rule Builder

Describe a detection scenario in plain English and the AI generates a complete detection rule. It selects appropriate keywords, severity levels, and source filters based on your description. You can review and adjust the rule before saving.

AI Suppression Suggestions

When the AI detects patterns of repeated benign alerts, it proactively suggests suppression rules. These suggestions appear in your alert feed and can be approved with a single click, significantly reducing alert fatigue.

When you identify a malicious IP address in a SIEM alert, you can block it directly from the alert detail view.

Blocking an IP

1. Open the SIEM alert containing the suspicious IP.
2. Click the Block IP button next to the source IP address.
3. Choose a duration: 1 hour, 24 hours, 7 days, 30 days, or permanent.
4. Confirm the block. The IP is immediately blocked at the sensor level.

Managing Blocked IPs

View and manage all blocked IPs in SIEM → Blocked IPs. From this view you can:

• See which rule or alert triggered the block.
• View the block duration and time remaining.
• Unblock an IP early if it was blocked by mistake.
• Extend the block duration.

When your Microsoft 365 integration includes the User.ReadWrite.All permission, you can take response actions directly from SIEM alerts.

Disable User

If an M365 account shows signs of compromise (e.g., impossible travel, suspicious mail rules), you can disable the user account immediately from the alert view. This prevents the attacker from continuing to use the compromised credentials.

1. Open the SIEM alert related to the M365 user.
2. Click Disable User in the response actions panel.
3. Confirm the action. The user is disabled in Microsoft Entra immediately.

Revoke Sessions

Force all active sessions for a user to be invalidated. The user will need to re-authenticate on all devices.

1. From the alert or user detail view, click Revoke Sessions.
2. Confirm the action. All active sessions are revoked via Microsoft Graph API.

Add an extra layer of security to your account by enabling two-factor authentication. StatusCore supports two methods: authenticator apps (TOTP) and SMS codes.

Authenticator App (Recommended)

1. Go to Settings → Security → Set Up Authenticator.
2. Scan the QR code with your preferred authenticator app (Google Authenticator, Authy, Microsoft Authenticator, 1Password, etc.).
3. Enter the 6-digit code from the app to verify setup.
4. TOTP is now enabled. You will be prompted for a code on each login.

SMS Two-Factor

1. Go to Settings → Security → Set Up SMS 2FA.
2. Enter your phone number.
3. A verification code will be sent via SMS. Enter it to confirm.
4. SMS 2FA is now active. A new code is sent each time you log in.

To disable 2FA, go to Settings → Security and click the disable option for the active method.

Manage your plan, add monitors, and enable add-ons from Settings → Billing.

Plans

• Free — Up to 5 monitors, email alerts, basic features.
• Pro — Up to 20 monitors, SMS/Slack/Discord alerts, public status pages, priority checks.
• Enterprise — Unlimited monitors, brandable status pages, custom domains, premium support.

Monitor Packs

Need more monitors without upgrading your plan? Purchase additional monitor packs in increments from your billing page.

SIEM / XDR Add-ons

SIEM and XDR capabilities are available as add-ons to any plan. Enable them from Settings → Billing → Add-ons.

Upgrading

1. Go to Settings → Billing.
2. Select your desired plan.
3. Enter payment details (handled securely by Stripe).
4. Your new plan takes effect immediately.

If your sensor shows as offline in the dashboard, work through these checks.

1. Check WireGuard Tunnel

The sensor uses a WireGuard VPN tunnel to communicate with StatusCore. On the sensor (or host running Docker), verify the tunnel is active:

sudo wg show

You should see a peer with a recent handshake timestamp. If no handshake is shown, the tunnel is not established.

2. Check SSH Tunnel

Verify the SSH reverse tunnel is active:

sudo systemctl status statuscore-tunnel

If the service is not running, restart it:

sudo systemctl restart statuscore-tunnel

3. Network Connectivity

• Ensure the sensor has outbound internet access.
• Check that UDP port 51820 (WireGuard) is not blocked by a firewall.
• Verify DNS resolution is working: nslookup portal.statuscore.io
• For Docker sensors, ensure the container is running: docker ps | grep statuscore-sensor

4. Reinstall

If the above steps do not resolve the issue, try redeploying the sensor using a fresh tenant token from Settings → Sensors.

Reducing false positives is essential for keeping your SIEM actionable. Here are strategies to tune your alerts.

Use Suppression Rules

If you identify a pattern of benign alerts, create a suppression rule to silence them. See Suppression Rules for details.

Leverage AI Suggestions

StatusCore's AI continuously analyzes your alert patterns and suggests suppression rules for repeated benign alerts. Review these suggestions regularly in your alert feed.

Refine Detection Rules

• Add source filters to narrow rules to specific sensors or log sources.
• Make keyword patterns more specific to avoid broad matches.
• Adjust severity levels — not every match needs to be critical.

Whitelist Known-Good Sources

If certain internal IPs or service accounts consistently trigger alerts, add them to the suppression list with a clear reason documented.

Common issues when connecting Microsoft 365 to StatusCore SIEM.

Invalid Client Secret

The most common error. When creating the client secret in Microsoft Entra, you must copy the Value column, not the Secret ID. The value is only shown once at creation time. If you missed it, delete the secret and create a new one.

Permission Denied / Unauthorized

• Verify you added Application permissions (not Delegated).
• Ensure you clicked Grant admin consent after adding permissions.
• Check that the Tenant ID and Client ID are correct (copy from the app's Overview page).
• If you recently added permissions, wait a few minutes for them to propagate.

No Data After Connecting

This is expected. Microsoft's Management Activity API can take up to 12 hours to begin delivering audit log data after initial subscription. The StatusCore dashboard will show a "Waiting for data" indicator during this period. No action is required — data will begin flowing automatically.

Client Secret Expired

Client secrets have an expiration date. If your connection stops working, check the secret's expiry in Microsoft Entra → App registrations → your app → Certificates & secrets. Create a new secret and update it in StatusCore.