SynapticSOC GitHub

Public SOC architecture

From raw telemetry to analyst decisions

SynapticSOC connects perimeter, endpoint, and passive network visibility into a single operational workflow designed around evidence quality, structured triage, and human-reviewed decisions.

Explore the Data Flow Implementation Status

Architecture objective

Connected visibility instead of isolated dashboards

The architecture is designed to improve the quality of security decisions by combining multiple observations before recommending action. Each component has a defined operational role.

01

Visibility first

Perimeter events, endpoint telemetry, and LAN-side observations provide different views of the same activity.

02

Correlation before action

Graylog, OpenSearch, and n8n combine context before an analyst decision or response recommendation is recorded.

03

Human-reviewed response

Automation supports triage and evidence handling without replacing analyst judgment.

Public high-level data flow

How SynapticSOC processes security telemetry

This public diagram describes the main architectural relationships while intentionally excluding sensitive implementation details.

Detailed branded SynapticSOC public architecture showing perimeter, endpoint, and passive LAN telemetry converging into Graylog, with Wazuh, OpenSearch, n8n, and Grafana identified using their official logos.
Solid connections represent telemetry, event, query, or workflow relationships. The Zeek path represents passive mirrored LAN visibility.

System layers

Each component has a defined operational role

The system is structured as connected layers rather than a single monolithic security platform.

01 / Perimeter

Firewall and IDS telemetry

pfSense · Snort · Suricata

Perimeter traffic, firewall decisions, and IDS alerts provide the first layer of network-security visibility.

02 / Endpoint

Host-level visibility

Wazuh agents

Endpoint telemetry provides host events, security detections, inventory context, and supporting evidence.

03 / Passive visibility

LAN-side network observation

Switch SPAN / TAP · Zeek

Zeek passively observes mirrored LAN traffic to help determine whether network activity reached an internal endpoint.

04 / Aggregation

Parsing, enrichment, and routing

Graylog

Graylog acts as the central operational hub for normalizing, enriching, routing, searching, and presenting security context.

05 / Storage

Search and retention

OpenSearch

OpenSearch supports indexed search, retained telemetry, and historical investigation across the wider SOC workflow.

06 / SOAR-assisted triage

Enrichment and analyst workflow

n8n · Graylog · OpenSearch

n8n exchanges context with Graylog and OpenSearch to support enrichment, triage, alerting, acknowledgment, and evidence recording.

07 / Analyst decision

Human-reviewed action

Analyst review · Evidence record

The analyst remains responsible for interpreting evidence, confirming the event, and deciding whether response is justified.

08 / Reporting

Operational dashboards

Grafana

Grafana presents selected operational and reporting views from stored and processed data.

Operational flow

From observation to a documented decision

  1. 01

    Telemetry is collected

    pfSense, IDS sensors, Wazuh agents, and Zeek provide distinct network and endpoint observations.

  2. 02

    Events are normalized and enriched

    Graylog structures and enriches incoming events so evidence from different sources can be compared consistently.

  3. 03

    Context is searched and retained

    OpenSearch supports indexed search and retained context for investigation, workflow queries, and reporting.

  4. 04

    SOAR-assisted triage is performed

    n8n coordinates high-level enrichment, correlation, alerting, acknowledgment, and evidence-recording steps.

  5. 05

    The analyst reviews the evidence

    Automation supports the decision, but the analyst determines whether observed activity requires a response.

Design principles

Built for credible and explainable operations

Open-source first

The project prioritizes openly available tools and transparent technical decisions.

Evidence before automation

Automated actions are not enabled simply because a detection fired. Evidence quality and validation come first.

Human-reviewed decisions

The workflow assists the analyst rather than hiding decisions inside opaque automation.

Resource-conscious engineering

The architecture reflects real storage, hardware, maintenance, and financial constraints.

Implementation status

Implemented capabilities and planned improvements

SynapticSOC documents what is working today separately from what is still being designed, hardened, or validated.

Implemented and demonstrated

  • pfSense firewall telemetry
  • Snort and Suricata IDS telemetry
  • Wazuh endpoint telemetry
  • Zeek LAN-side passive visibility
  • Graylog parsing, enrichment, streams, and routing
  • OpenSearch search and storage
  • n8n SOAR-assisted triage and acknowledgment
  • Analyst review and evidence-recording workflow
  • Grafana operational dashboards

Planned or being hardened

  • Formal retention-policy implementation
  • Role-based access control review
  • Wazuh active-response hardening and validation
  • Expanded response procedures
  • Additional compliance-oriented documentation
  • Dedicated case-management integration

Public disclosure boundary

Designed to explain the system without exposing it

The public architecture intentionally excludes credentials, tokens, internal addresses, ports, hostnames, firewall rules, Graylog queries, n8n workflow logic, and other implementation details that could increase operational risk.