Tenant Onboardingv1

Tell SARA about your environment

A few minutes now saves your SOC team a feedback cycle later. SARA learns from these facts on the first incident, not the tenth.

• Network perimeter — the IP ranges SARA should treat as "yours" so scans against them don't get tagged as ransomware (and outbound traffic from them isn't called C2).
• Internal & external domains — corp DNS patterns + your public domain, so SARA stops emitting them as IOCs.
• Log-source naming — your QRadar / Splunk / etc. host-class prefixes, so SARA recognises them as log sources, not threat indicators.
• Policy tier — how much SARA can do without asking. Default is Balanced.

You can skip any step. Re-run anytime from Settings → Memory.

Network perimeter

Your IPv4 CIDR ranges. We verify each one against APNIC/RDAP to flag mismatches — if you claim a range that actually belongs to a Japanese ISP (we've seen it), you'll see a warning before pinning.

Internal & external domains

Glob patterns SARA shouldn't tag as suspicious. Internal = corp-DNS-only (not in public DNS); external = your publicly-resolvable tenant domain. We DNS-check externals so a typo doesn't sneak through.

Log-source naming

Hostname prefixes your QRadar / Splunk / etc. use. Hostnames matching these are log sources, not IOCs. Example: corp-siem- or winlog- for wincollect / forwarder host classes.

Policy tier

How much can SARA do without explicit analyst approval? This is a default you can change anytime from Settings.

You're done — SARA is configured

Summary of what we pinned to your tenant. You can edit any of these from Settings → Memory.

We'll re-verify your network-perimeter CIDRs against RDAP weekly. If a registration changes (e.g. a CIDR is re-assigned), you'll see a banner on your next sign-in.