Skip to main content
How to use SAF, setup guide and reference documentation. Platform overview, getting started and changelog.


Core the central unit of the Search Anywhere Framework the core module is the central unit of the Search Anywhere Framework, orchestrating the interaction among its various components and providing a unified access point to their functionalities. It encompasses an analytical engine that implements the SAF Language — a specialized "Search Processing Language" tailored for executing intricate correlation searches within the SAF ecosystem.

Incident Manager

Incident Manager a comprehensive solution dedicated to the life cycle management of incidents the incident manager module is a comprehensive solution dedicated to the lifecycle management of incidents spanning areas of information security, IT infrastructure, abnormal user behaviors, and business process errors. Its primary role is to capture crucial events as incidents, streamlining the organization and offering tools to manage identified incidents.


Inventory asset formation and management tool the inventory module allows users to create a unified database of users and assets, including servers, workstations, network devices, information systems, and objects in a cluster infrastructure. It ensures that the asset database is kept up to date. key features integration of data from various sources.

Cyber Security

Cyber Security a large database of correlation rules and functional dashboards for detecting and preventing incidents the cyber security module enriches the Security Analytics Platform with curated content. It encompasses ready-made correlation rules, incident detection mechanisms, response playbooks, configurations to integrate any security tool with SAF, and pre-installed dashboards, all delivered in the form of periodic content updates.


MITRE ATT&CK apply various MITRE ATT&CK usage scenarios in the protected infrastructure the MITRE ATT&CK module equips organizations to effectively deploy multiple MITRE ATT&CK use scenarios within their infrastructure. Users can evaluate their toolsets coverage of ATT&CK techniques, craft specialized threat models tailored to their IT landscape components, and detect potential technique use based on data source events.


The module provides mechanisms for detecting deviations in the behavior of different types of objects: users, hosts, administrators, information systems, business processes of processes, etc. Universal scoring calculation mechanism allows to identify potential attackers, compromised accounts, calculate cybersecurity index, analyze operational efficiency and labor discipline, and fight against frod.