One pipeline: collect, correlate, triage, respond.
Hello SOC is one product end-to-end. No SIEM-plus-ticketing-plus-orchestration stitch-up. The same engine that detects also triages, notifies, and queues response actions.
- 01
Ingest
A lightweight collector at your edge ships FortiGate syslog, Linux auth/mail logs, web-server logs and SNMP metrics to a mTLS-secured gateway. Per-tenant isolation from byte zero — your logs land in your OpenObserve organisation, not a shared pool.
- 02
Detect
Stream-correlation engine runs pre-built detection: brute-force, threat-intel hits, mass-deny bursts, internal fan-out, exposed admin surfaces, mail recon, web injection probes, device-health regressions. Custom tuning per tenant without editing global rules.
- 03
Triage
Every alert is summarised by an in-house Claude-powered triage layer. Related alerts roll up into incidents by family + actor + window, so you read three lines, not three log files.
- 04
Notify
Per-tenant email and Telegram channels, with operator fallback. Weekly admin digest (open + closed-this-week breakdown) and a signed monthly PDF for compliance.
- 05
Respond
SOAR engine proposes response actions per matching rule. Humans approve in-dashboard; the engine executes against a vendor adapter (FortiOS today; Sophos and Palo Alto next). Every action is reversible and TTL-bounded.
Integrations
Data residency & isolation
Per-tenant OpenObserve org
Every customer gets a dedicated OpenObserve organisation; SQL queries are row-scoped on top. No shared indexes.
Postgres + Valkey
Tenant rows + alerts + incidents in Postgres 16 with FK-cascaded delete; Valkey for dedup keys and notification cooldowns.
India-resident by default
Mumbai region storage; EU / US / AE residency on request. We ship logs to the region you nominate; the dashboard works from any.
Backups + DR
Daily encrypted backups to a customer-controlled object store (Synology NAS, S3, R2 — your pick).
Onboarding — the actual hours and steps
What we do, what you do, and what’s measurable at each checkpoint. Built for procurement teams that need to forecast a go-live date before they sign.
- Day 0–1 · Pre-flight~2 hours of your team’s timeWe doProvision your tenant + dedicated OpenObserve org; generate edge-collector mTLS certs; share the install kit.You doConfirm log sources (one FortiGate to start), nominate your tenant_admin email(s), open egress to our ingest endpoint.MeasurableEdge collector running; first heartbeat in /system → device list.
- Day 1 · Ingest liveOperator-side; no work from you.We doVerify event flow through gateway → parser → per-tenant OpenObserve org; activate the rules engine.You doNothing — we’ll ping you on the first real alert so you can see the dashboard light up.MeasurableEvents/sec ingested visible in /system; first triaged alert in /alerts.
- Days 2–7 · Tuning + first digest~1 hour total, mostly async.We doWhitelist obvious false-positive sources (your monitoring scanners, partner IPs), tune severity bands per your environment.You doApprove the proposed whitelist set; confirm the digest recipient list.MeasurableMonday weekly digest delivered to tenant_admin inbox — open + closed-this-week breakdown.
- Days 8–30 · Incidents + SOAR scoping~30 min weekly review.We doRoll alerts into incidents by family and actor; propose first set of response actions (block_ip on confirmed exploit probes, typically).You doApprove the rule_actions mapping; supply per-device FortiGate API key (encrypted server-side).MeasurableFirst dashboard-approved SOAR action executed; signed monthly PDF delivered.
- Day 30+ · ExpansionAsynchronous.We doAdd data sources (Linux servers, web tier, M365 if relevant) without re-onboarding; quarterly plan / retention review.You doSend the next batch of source devices; decide on retention overrides if any.MeasurableCoverage expanding without dashboard churn; storage cost on the plan you signed.
Walk the architecture with us.
30 minutes: live dashboard, one of our own networks. Bring questions, leave with a sizing.
Book a demo