Customer Onboarding

Guided multi-step wizard for onboarding new tenants with log source integration, SIEM provisioning, and MITRE ATT&CK coverage mapping.

Overview

Enterprise SOCaaS platforms must onboard customers quickly and reliably. Manual onboarding -- spreadsheets, emails, and ad-hoc configuration -- leads to missed log sources, delayed time-to-value, and inconsistent coverage. The Customer Onboarding module provides a structured, automated onboarding pipeline that guides both internal SOC engineers and customer admins through every step from initial SOC assessment to validation.

What Was Proposed

Dual-path onboarding: existing SOC (connect and import) vs. greenfield (provision and deploy)
Multi-step wizard with progress tracking and validation
Automated data source discovery and connector provisioning
MITRE ATT&CK coverage heatmap with gap analysis
Sentinel workbook deployment and Defender EDR/ATP integration
End-to-end validation suite to confirm log flow
Self-healing log source monitor

What's Built Complete

Full 6-step onboarding wizard: SOC Assessment, Data Sources, Sentinel Setup, MITRE Mapping, Defender Integration, Validation
Two onboarding paths: Path A (Existing SOC) and Path B (Greenfield)
15 pre-built connector templates (Windows Events, Defender, Azure AD, Palo Alto, Fortinet, Cisco ASA, AWS CloudTrail, GCP Audit, etc.)
Connector health testing with live status feedback
MITRE ATT&CK coverage heatmap across 14 tactics with color-coded scoring
5 Sentinel workbook templates (SOC Overview, Threat Landscape, Incident Response, Compliance Dashboard, Data Source Health)
Microsoft Defender EDR/ATP configuration with automated investigation and ASR
End-to-end validation suite with 6 checks (tenant, SIEM, connectors, rules, ingestion, playbooks)
Backend onboarding engine with auto-discovery, self-healing, schema adaptation, and lifecycle reporting
Data source types: siem, endpoint, cloud, network, identity, email, dns, firewall
Connector types: sentinel_connector, syslog_cef, api_poll, webhook, file_beat, windows_event_forwarding, taxii_stix

Architecture

Service Layer

The OnboardingEngine class orchestrates both onboarding paths. It manages tenant state, data source connections, MITRE coverage calculations, Sentinel workbook deployment, and Defender integration. Data sources are tracked with health monitoring and the self-healing log source manager automatically reconnects degraded sources.

Frontend (Next.js)         API (FastAPI)              Services
+-----------------+   +-----------------------+   +---------------------+
| OnboardingPage  |-->| /api/v1/onboarding/*  |-->| OnboardingEngine    |
| 6-step wizard   |   | tenant/setup          |   |   setup_tenant()    |
| connector tests |   | datasources/connect   |   |   connect_source()  |
| MITRE heatmap   |   | mitre/coverage        |   |   get_mitre_cov()   |
| validation      |   | sentinel/workbooks    |   |   deploy_workbooks()|
+-----------------+   | defender/configure    |   |   configure_defender|
                      | reports/lifecycle     |   |   self_heal_log()   |
                      +-----------------------+   +---------------------+

Routing

Frontend Route

/onboarding

API Prefix

/api/v1/onboarding

Prerequisites

Authenticated user with admin or super_admin role
Tenant ID (auto-generated or existing)
For Path A: Sentinel workspace ID and shared key
For Defender integration: Azure Tenant ID and App Registration client credentials

Data Model

Field	Type	Description
tenant_id	str	Unique tenant identifier
existing_soc	bool	Path A (true) or Path B (false)
organization_name	str	Customer organization name
contact_email	str	Primary contact email
industry	str	Industry vertical (Technology, Government, Healthcare, Finance, Education, Manufacturing, Retail)
sentinel_workspace_id	str	Sentinel workspace ID (Path A)
source_type	enum	siem \| endpoint \| cloud \| network \| identity \| email \| dns \| firewall
connector_type	enum	sentinel_connector \| syslog_cef \| api_poll \| webhook \| file_beat \| wef \| taxii_stix

API Endpoints

Method	Endpoint	Description
POST	/tenant/setup	Initialize tenant onboarding
GET	/tenant/{id}/status	Get onboarding progress
POST	/datasources/connect	Add data source connection
GET	/datasources	List data sources with health
GET	/datasources/{id}/health	Detailed source health
POST	/datasources/{id}/test	Test connectivity
POST	/datasources/discover	Auto-discovery scan
GET	/mitre/coverage	MITRE ATT&CK heatmap data
GET	/mitre/gaps	Coverage gaps with recommendations
POST	/sentinel/workbooks/deploy	Deploy workbook templates
GET	/sentinel/workbooks	List deployed workbooks
POST	/defender/configure	Configure Defender EDR/ATP
GET	/reports/lifecycle	Alert lifecycle report
GET	/reports/ingestion	Ingestion stats per source
GET	/connectors/templates	Available connector templates
GET	/self-healing/log	Recent self-healing actions

UI Description

The onboarding page presents a 6-step progress stepper at the top with numbered circles connected by a progress bar. Steps transition with orange (#F97316) accents when completed.

Step 1: SOC Assessment

Two large selection cards: "Existing SOC" (connect workspace) and "Greenfield" (provision new). Selecting Existing SOC reveals Sentinel workspace ID and shared key inputs. Organization details (name, email, industry selector) are collected below.

Step 2: Data Sources

A 2-column grid of 15 connector templates with checkboxes. Each shows icon, name, description, source type badge, and a "Test" button. Connected/error status badges appear after testing.

Step 3: Sentinel Setup

Displays workspace connection info (existing) or provisioning details (greenfield). A checklist of 5 workbook templates with checkboxes. Summary cards show detection rules count, workbooks to deploy, and UEBA status.

Step 4: MITRE Mapping

A "Calculate Coverage" button triggers a heatmap across 14 MITRE ATT&CK tactics in a 7-column grid. Overall coverage percentage, covered/partial/uncovered technique counts are displayed in summary cards. Color legend: green (70%+), yellow (40-69%), red (<40%).

Step 5: Defender Integration

Azure Tenant ID and Client ID inputs. Feature checkboxes for EDR, ATP, Automated Investigation (always on), and Attack Surface Reduction (always on).

Step 6: Validation

A "Run Validation Suite" button triggers 6 sequential checks with animated progress. On success, a green completion banner with "Start Monitoring" CTA appears.

Source Files

Component	Path
API Router	platform/api/app/routers/onboarding.py
Service Engine	platform/api/app/services/onboarding_engine.py
Frontend Page	platform/frontend/src/app/onboarding/page.tsx