Hello SOCBook a demo
Architecture

One pipeline: collect, correlate, triage, respond.

Hello SOC is one product end-to-end. No SIEM-plus-ticketing-plus-orchestration stitch-up. The same engine that detects also triages, notifies, and queues response actions.

  1. 01

    Ingest

    A lightweight collector at your edge ships FortiGate syslog, Linux auth/mail logs, web-server logs and SNMP metrics to a mTLS-secured gateway. Per-tenant isolation from byte zero — your logs land in your OpenObserve organisation, not a shared pool.

  2. 02

    Detect

    Stream-correlation engine runs pre-built detection: brute-force, threat-intel hits, mass-deny bursts, internal fan-out, exposed admin surfaces, mail recon, web injection probes, device-health regressions. Custom tuning per tenant without editing global rules.

  3. 03

    Triage

    Every alert is summarised by an in-house Claude-powered triage layer. Related alerts roll up into incidents by family + actor + window, so you read three lines, not three log files.

  4. 04

    Notify

    Per-tenant email and Telegram channels, with operator fallback. Weekly admin digest (open + closed-this-week breakdown) and a signed monthly PDF for compliance.

  5. 05

    Respond

    SOAR engine proposes response actions per matching rule. Humans approve in-dashboard; the engine executes against a vendor adapter (FortiOS today; Sophos and Palo Alto next). Every action is reversible and TTL-bounded.

Integrations

FortiOS
syslog ingest + SOAR block_ip via address-group
Linux servers
auth.log + mail.log via collector; SSH + SMTP brute-force rules
Nginx / Apache
access + error log ingest; web-scanner + exploit-probe rules
SNMP
Telegraf-driven polling + trap reception; device-health rules
Sophos, Palo Alto
SOAR adapters — F3 (Q3 2026)
Microsoft 365 / Workspace
audit + sign-in ingest — F4 (Q4 2026)

Data residency & isolation

Per-tenant OpenObserve org

Every customer gets a dedicated OpenObserve organisation; SQL queries are row-scoped on top. No shared indexes.

Postgres + Valkey

Tenant rows + alerts + incidents in Postgres 16 with FK-cascaded delete; Valkey for dedup keys and notification cooldowns.

India-resident by default

Mumbai region storage; EU / US / AE residency on request. We ship logs to the region you nominate; the dashboard works from any.

Backups + DR

Daily encrypted backups to a customer-controlled object store (Synology NAS, S3, R2 — your pick).

Onboarding — the actual hours and steps

What we do, what you do, and what’s measurable at each checkpoint. Built for procurement teams that need to forecast a go-live date before they sign.

  1. Day 0–1 · Pre-flight
    ~2 hours of your team’s time
    We doProvision your tenant + dedicated OpenObserve org; generate edge-collector mTLS certs; share the install kit.
    You doConfirm log sources (one FortiGate to start), nominate your tenant_admin email(s), open egress to our ingest endpoint.
    MeasurableEdge collector running; first heartbeat in /system → device list.
  2. Day 1 · Ingest live
    Operator-side; no work from you.
    We doVerify event flow through gateway → parser → per-tenant OpenObserve org; activate the rules engine.
    You doNothing — we’ll ping you on the first real alert so you can see the dashboard light up.
    MeasurableEvents/sec ingested visible in /system; first triaged alert in /alerts.
  3. Days 2–7 · Tuning + first digest
    ~1 hour total, mostly async.
    We doWhitelist obvious false-positive sources (your monitoring scanners, partner IPs), tune severity bands per your environment.
    You doApprove the proposed whitelist set; confirm the digest recipient list.
    MeasurableMonday weekly digest delivered to tenant_admin inbox — open + closed-this-week breakdown.
  4. Days 8–30 · Incidents + SOAR scoping
    ~30 min weekly review.
    We doRoll alerts into incidents by family and actor; propose first set of response actions (block_ip on confirmed exploit probes, typically).
    You doApprove the rule_actions mapping; supply per-device FortiGate API key (encrypted server-side).
    MeasurableFirst dashboard-approved SOAR action executed; signed monthly PDF delivered.
  5. Day 30+ · Expansion
    Asynchronous.
    We doAdd data sources (Linux servers, web tier, M365 if relevant) without re-onboarding; quarterly plan / retention review.
    You doSend the next batch of source devices; decide on retention overrides if any.
    MeasurableCoverage expanding without dashboard churn; storage cost on the plan you signed.

Walk the architecture with us.

30 minutes: live dashboard, one of our own networks. Bring questions, leave with a sizing.

Book a demo