Skip to content
IronSOC/Platform/Automatic Onboarding

Platform

Point a source at it. It learns your estate.

Most SOC platforms start with a configuration project: schema mapping, rule tuning, asset tagging. IronSOC starts with traffic. Connect a source and the engine learns your architecture and your users' normal patterns automatically — configuration is minimal by design, and coverage grows where risk lives.

How onboarding works

Four steps. The engine does three of them.

Step 01 · Connect

One webhook per source. No schema project.

Point Splunk, Elastic, Microsoft Sentinel, or any OCSF/JSON emitter at a single ingest endpoint. Vendor adapters normalize each payload into one feature space — there is no mapping spreadsheet, no rule-pack tuning phase, no professional-services quarter.

Step 02 · Observe

Baselines form from the traffic itself.

The engine builds a running baseline per actor, per source, from the alerts it sees. After a handful of observations a learned normal exists for that identity or agent — what it touches, how sensitive, how risky. Nobody writes that profile by hand.

Step 03 · Diverge

Deviation from learned normal becomes signal.

Once a baseline exists, distance from it feeds the triage score directly. The same event that is routine for a CI service account is an escalation for a finance analyst — because the engine learned what each of them normally does.

Step 04 · Expand

Coverage follows risk, not license count.

Partial installation is the default: the riskiest systems connect first, and coverage grows where incidents and exposure say it should. You are never asked to instrument the whole estate on day one to get value.

What it learns

The profile nobody had to write

Onboarding is not a form you fill in. It is the engine watching real telemetry and building the context that makes triage decisions defensible.

Per-actor baselines

Every identity, service account, and AI agent gets its own learned profile — tool risk, data sensitivity, blast radius — built from its actual history, not from a role template.

Escalation history

Actors whose alerts have escalated before score higher on the next one. Repeat offenders are remembered automatically; clean histories earn quieter treatment.

Source shapes

Splunk notables, Sentinel incidents, Elastic rules, and OCSF findings all land in the same nine-signal feature space, so cross-source behavior compares apples to apples.

Approved context

Change windows, approved automation, and sanctioned maintenance reduce the score instead of paging a human. The engine learns what sanctioned looks like, too.

Not a mock

Watch a baseline form, live.

The ingest pipeline on this site is the real engine. POST a raw Splunk, Elastic, Sentinel, or OCSF payload at it and watch the actor’s baseline appear in the live queue — deviation scoring switches on after three observations, exactly as it would in your estate.

Try the live engine

Honest status

What runs on this site today: real vendor adapters, real learned per-actor baselines, real deviation scoring, real 90/10 routing. What is design-partner work: persistent baseline storage across restarts and SIEM write-back of verdicts. We list the gap because you would find it in diligence anyway.

See integration status