Skip to content
Mimir

Mimir documentation

Security-first endpoint visibility, documented.
Threat feeds GitHub

What’s here

Dashboard The landing page after sign-in — fleet health, compliance posture, top security events, agent signals, and OS distribution at a glance.
Threat feeds Connect built-in abuse.ch feeds, public MISP feeds, or any STIX/TAXII server. Coverage of every feed type, with setup steps, security model, and troubleshooting.
Indicators Add IOCs by hand or in batch, learn the nine indicator types Mimir tracks, and tune matching modes and confidence.
Alerts The unified alert feed — what each row means, how to filter by severity, source, and category, and how to ship alerts to Slack or PagerDuty via webhooks.
Hosts Open per-host detail, filter the fleet by hostname or status, and decommission retired endpoints (admin-only, revokes the agent certificate). The Hosts surface is the operator's day-to-day view of fleet posture.
Hunts Launch IOC hunts against the fleet, drill into match results, and stop running hunts cleanly. Covers concurrency limits, race-condition handling, and the hunt-vs-campaign relationship.
Campaigns Durable hunt records — when offline campaigns are enabled, a hunt creates a campaign so disconnected hosts can answer days later when they reconnect.
Queries Mimir's ad-hoc SQL workbench — write an osquery statement, pick a target (fleet / single host / by OS), stream results in, and export. Includes saved queries.
Packs Durable, scheduled osquery — what a pack is, what the health dot means, and how to author custom packs on top of the bundled set.
Fleet Fleet intelligence (risk-scored anomaly clusters), the version-skew breakdown, and the live event map streaming activity as arcs landing at the server.
Settings Time and display preferences, API keys, local user management, enrollment secrets, single sign-on, and agent / osquery update channels.

Single source of truth

Every page on this site renders from a .md file in the Mimir repo. Updates ship via PR with a docs-sync CI gate that prevents drift between the docs and the code.

Reading the docs in-product

Every Mimir tenant ships the same documentation at /help/<section>/<topic>. Click the (?) icon next to any feature in the product to jump straight to that feature’s page. The in-product and public versions render the same markdown — they stay in sync by construction.