Technical & Executive Brief · 2026
Detection & Response Fabric · H&I Balam SOC
The security operations platform that turns alerts into action through automatic correlation, AI analysis, and unified incident management.
Version 4.14 Language English Classification Confidential Contact support@obsidia.center
01 · Executive Summary
What is OBSIDIA?
OBSIDIA is an operational security platform (SOC-as-a-Service) that integrates threat detection, AI-powered analysis and automated incident management into a single solution. Built for organizations that need enterprise-grade security visibility without the complexity and cost of a traditional SOC.
🛡️

Continuous Detection

24/7 monitoring of security events from multiple sources — OpenSearch indexers, external SIEMs, EDR agents and cloud logs — with automatic correlation and risk-level prioritization.

🤖

AI Analysis — MITRE ATT&CK + Kill Chain

Every critical alert is processed by the integrated AI engine to identify the MITRE tactic and technique, Kill Chain phase, potential impact, and recommended remediation steps.

🎫

Incident Management

Automated enriched ticket creation in osTicket, Jira Service Management or ServiceNow. Every incident is documented, assigned, and traceable.

📊

Executive Visibility

Real-time dashboard with operational metrics, SSE event feed, risk indicators, and compliance-ready audit reports.

02 · Architecture
Component Diagram
OBSIDIA operates as a source-agnostic orchestration layer. A Normalizer adapter converts heterogeneous events into a standard format before they reach the Core engine. All components run in isolated Docker containers over a dedicated internal network.
CLIENT INFRASTRUCTURE OpenSearch Indexer :9200 · REST API External SIEM API · syslog · REST EDR / Cloud Logs agents · API · webhooks Normalizer rule · agent · mitre · level dedup · state · fingerprint → Standard OBSIDIA format OBSIDIA Core ▸ MITRE ATT&CK Mapping ▸ Kill Chain Analysis ▸ AI Engine — contextual analysis ▸ Dedup · State · Polling Engine ▸ Event Store (SQLite WAL) ▸ Heartbeat · Licensing poll: 20s · batch configurable Ticket Dispatcher (routes by config · enriched body) osTicket self-hosted Jira Service Mgmt ServiceNow ITSM VISUALIZATION Dashboard SSE monitor.obsidia.center real-time events Admin Portal admin.obsidia.center clients · licenses LEGEND Sync flow API / async Heartbeat
03 · Operation Flow
From event to incident in 5 steps
OBSIDIA automatically orchestrates the entire detect-respond cycle. The SOC team only receives pre-enriched tickets — no manual correlation work.
01

Collection — Security Sources

Security sources — agents on servers and endpoints, OpenSearch indexers, external SIEMs, and cloud logs — feed events into the Normalizer. Multiple protocols are supported: REST API, syslog, webhooks, and direct OpenSearch queries.

02

Normalization — Standard OBSIDIA format

The Normalizer converts heterogeneous events into the standard OBSIDIA schema (rule · agent · mitre · level · dedup · state · fingerprint). Each adapter is independent; adding a new source requires no changes to the core. The Poller Engine deduplicates via SHA-256 fingerprint and maintains per-cycle state.

03

AI Analysis — MITRE ATT&CK + Kill Chain

Alerts at level ≥ 7 (configurable) are processed by the integrated AI engine for contextual analysis. It identifies the MITRE tactic and technique, the corresponding Kill Chain phase, the potential organizational impact, and generates actionable remediation recommendations.

04

Automatic enriched ticket creation

The Dispatcher builds a ticket with a structured subject (severity · rule · agent) and a body containing: full event data, complete AI analysis, MITRE context, and recommended remediation steps.

05

Real-time visibility and metrics

Every event is stored in the Event Store (SQLite WAL). The SSE Dashboard pushes it to the SOC team in real time. The admin portal consolidates metrics from all clients via a 24h heartbeat.

04 · Technical Capabilities
Threat coverage — MITRE ATT&CK
OBSIDIA detects and correlates threats mapped to the MITRE ATT&CK Enterprise framework.
MITRE TacticDetected TechniquesData SourceSeverity
Initial AccessSSH/RDP Brute Force, public exploitOBSIDIA rule engineCRITICAL
ExecutionShell commands, malicious scriptsIntegrity monitorHIGH
PersistenceCrontab modification, service tamperingFIM (File Integrity Monitor)HIGH
Privilege Escalationsudo abuse, SUID/SGIDAudit rulesHIGH
Defense EvasionLog clearing, rootkitsRootkit detectorMED
Credential AccessPassword spraying, hash dumpingAuthentication logsCRITICAL
Lateral MovementPsExec, SSH tunnelsNetwork rulesHIGH
ImpactRansomware patterns, data deletionBehavioral monitorCRITICAL
Compliance (SCA)CIS Benchmarks · PCI-DSS · LGPD · ISO 27001 · CNBV · INAICompliance engineINFO
System Specifications
Supported sourcesOpenSearch + SIEM/EDR adapters
AI AnalysisAI Engine (configurable)
Poll interval20s (configurable)
Batch size10 alerts / cycle
DatabaseSQLite 3 · WAL mode
DashboardFastAPI + SSE (real-time push)
ContainersDocker Compose
Internal network172.20.0.0/24 · bridge
Operating systemsUbuntu 22.04 / 24.04 LTS
Min recommended RAM8 GB (full stack)
Min storage50 GB SSD
Ticket systemsosTicket · Jira · ServiceNow
05 · Plans & Licensing
Subscription options
All plans include the full platform. The difference lies in the number of monitored agents, included support level, and compliance add-ons.
Starter
Contact us / mo

  • Up to 25 agents
  • Real-time detection
  • Basic AI analysis
  • osTicket integration
  • Operational dashboard
  • Email support
Enterprise
Custom / year

  • Unlimited agents
  • Multi-tenant / multi-site
  • Industry-tailored AI
  • Custom integrations
  • 4h critical / 8h high SLA
  • SOC as a Service included
  • Dedicated support