Skip to main content

Features

Four-Tier Detection Pipeline
#

Every event flows through four layers — each one cheaper and more targeted than the next.

Tier 1: Noise Suppression — Static rules filter ~70% of known-safe events before anything else runs. Password changes, routine admin operations, service heartbeats. Zero cost, zero latency.

Tier 2: Pattern Detection — 574 open-source SigmaHQ community rules match known attack signatures. Brute force, credential stuffing, privilege escalation, suspicious mailbox rules. Deterministic, auditable, updated weekly from the public SigmaHQ repository. Zero AI cost.

Tier 3: AI Triage — A fast AI model reads the remaining events every five minutes. It evaluates each event summary in context: is this routine, or does it warrant investigation? Routine events are logged and dismissed. Suspicious events are escalated.

Tier 4: AI Investigation — A powerful AI model takes over. It autonomously searches logs, correlates across sources, checks device inventory, looks up documentation, verifies network IPs — and produces a detailed, client-ready report with severity rating and recommended actions.

Multi-Source Coverage
#

Hal ingests and correlates across every major MSP log source:

  • Microsoft 365 — Exchange, SharePoint, OneDrive, Teams, Azure AD audit logs
  • Google Workspace — Reports API audit logs and Alert Center security alerts
  • Microsoft Entra ID — Sign-in logs, risk detections, directory audits via Graph API
  • Windows Servers — Event logs via Sidecar/Winlogbeat (no kernel agent)
  • Network Devices — FreeBSD router syslog over encrypted VPN tunnels
  • Meraki WAN IP Correlation — Automatic tagging of corporate WAN IPs in investigations

Cross-source correlation is where Hal excels. A suspicious sign-in leads to a device check in your RMM, a forwarding rule in M365, and a KB article in your documentation platform — all in one investigation.

Slack Integration
#

Slack is the primary interface. No query language, no training required.

  • Automated alerts with severity levels posted to your team channel
  • Plain English conversations — ask Hal about any client, any event
  • Threaded investigations with full context
  • Client notes: persistent facts injected into every analysis
  • Watches: “check this user again in 20 minutes”
  • Web chat available as a complement for browser-based access

Self-Service Portal
#

A web portal for your team with full operational visibility:

  • Dashboard — health, costs, pipeline stats, infrastructure status
  • Alerts — expandable security findings with report IDs and severity
  • Usage — per-event AI cost tracking with API call drilldown
  • Reports — PDF downloads for all investigations
  • Log Sources — per-client source status with health badges
  • Health — VM stats, service status, pipeline freshness, API reachability
  • Settings — AI model selection, service management

PDF Security Reports
#

Every investigation can produce a branded PDF report:

  • PAdES-B-T digitally signed with RFC 3161 timestamps
  • Cryptographic proof of when the report was generated and that it hasn’t been tampered with
  • Client-ready — send directly without editing
  • Verify any report online

365-Day Retention
#

Every log source, 365 days, fully searchable. Included in the platform fee — no premium tier required.

Suitable for HIPAA, PCI, and CMMC compliance frameworks that require extended log retention.

Open Detection Rules
#

Tier 2 pattern detection uses SigmaHQ — the open-source, vendor-neutral, community-maintained detection standard. Every rule is publicly auditable. No proprietary black-box detection logic.

Rules update weekly from the public SigmaHQ repository. You can inspect exactly what is being detected and why.

There are no articles to list here yet.