Agent Fleet
The Agent Fleet page provides visibility into AuroraSOC's specialist AI agents — their status, capabilities, runtime health, and operator-directed work queues. Each agent is a specialized AI model wrapped in the BeeAI framework, communicating over the Agent-to-Agent (A2A) protocol.
Agents are loaded dynamically at startup based on the ENABLED_AGENTS setting, so the fleet view reflects only the agents currently running in your deployment.
When you run AuroraSOC on the host with make stack-up, the Agent Fleet page overlays the managed-agent registry with live A2A /health results. In that mode the page shows the real 14-agent mesh, exposes one live replica row per reachable agent, and keeps manual dispatch / queue / MCP views live. Runtime mutation controls such as enable/disable, deploy, scale, and per-agent restart stay read-only there because the host launcher does not expose a controllable runtime backend to the dashboard.
Agent Architecture Overview
Fleet Overview
The fleet view opens on a card-based operations dashboard with:
- KPI cards for total agents, active agents, disabled agents, live instances, registered tools, and SOC sites
- Agent fleet and SOC site tabs so operators can switch between runtime operations and topology visibility
- Per-agent summary cards showing site, instance count, CPU, memory, tools, and uptime at a glance
- Expandable detail panels for deeper operational controls and recent activity
Status Indicators
- 🟢 Online — Agent responding to health checks, ready for tasks
- 🟡 Degraded — Agent responding but with elevated latency or partial failures
- 🔴 Offline — Agent not responding; circuit breaker may be open
Agent Capabilities
Each agent has specific tags and capabilities the dashboard displays:
| Agent | Domain | Key Capabilities |
|---|---|---|
| Security Analyst | Alert Triage | SIEM queries, IOC extraction, MITRE mapping, alert correlation |
| Threat Hunter | Proactive Hunting | LOLBin detection, baseline deviation, threat pattern matching |
| Malware Analyst | Malware Analysis | YARA scanning, sandbox analysis, malware classification |
| Incident Responder | Response Execution | Playbook orchestration, containment, remediation |
| Network Security | Network Analysis | Flow analysis, DNS tunneling detection, IP blocking |
| Web Security | Application Security | Web vuln scanning, WAF analysis, API security assessment |
| Cloud Security | Cloud Defense | Cloud config audit, IAM review, cloud threat detection |
| CPS Security | OT/IoT Security | Sensor queries, firmware attestation, physical-cyber correlation |
| Threat Intel | Intelligence | IOC enrichment, threat feed correlation, intelligence sharing |
| Endpoint Behavior | Endpoint + UEBA | EDR scanning, host isolation, user risk scoring, anomaly detection, insider threat detection |
| Forensic Analyst | Digital Forensics | Evidence collection, timeline reconstruction, artifact analysis |
| Report Generator | Reporting | Executive summaries, technical reports, compliance reports |
| Network Analyzer | Read-only NDR | Packet capture review, traffic analysis (no write actions) |
Agent Detail Panel
Expand any fleet card to open its operator detail panel.
Activity Feed
The panel summarizes the most recent task or operator-visible activity context for that agent:
[12:03:15] Received task: Analyze alert ALT-2024-001
[12:03:16] ThinkTool: Parsing alert metadata...
[12:03:17] Executing: SearchLogs (query="src_ip:192.168.1.100")
[12:03:19] Found 47 related events
[12:03:20] Executing: MitreMap (technique="T1053.005")
[12:03:21] Mapped to: Scheduled Task/Job
[12:03:22] Task complete: Confidence 0.87
Performance Metrics
- Tasks completed and failed
- Success rate
- Current version and last heartbeat
- CPU and memory utilization bars
Deployment Controls
- Enable or disable an agent when you have the
agents:managepermission - Scale active agents up or down within their configured instance limits
- Deploy an agent to another SOC site from the expanded panel
If the page shows the Live host mesh connected banner, those controls are intentionally disabled and the detail panel will explain that the current host-run stack is observable but not runtime-managed from the dashboard.
Live Replicas
The detail panel also lists the currently registered replicas for the selected agent, including:
- Runtime ID and current readiness state
- Site association for the replica
- Tasks currently in flight
- CPU and memory usage for the target runtime
On host-run stacks, the replica row is synthesized from the live A2A mesh health probe. That row is still useful for operator visibility and manual dispatch targeting, but it is read-only and the logs action tails the shared host mesh log rather than a per-container runtime log.
Recent Assignment Queue
Operators can review the latest queued, dispatched, completed, or failed manual assignments directly in the panel. Each queue item includes:
- Task ID and priority
- Assigned site or pinned replica when one was selected
- Operator identity
- Queue timestamp
- Error details for failed assignments
Circuit Breaker Status
The dashboard shows the circuit breaker state for each agent:
- CLOSED — Normal, all requests forwarded
- OPEN — Agent unhealthy, requests fail fast (no load on struggling agent)
- HALF_OPEN — Testing with a single probe request
Without circuit breakers, a failing agent would cause cascading timeouts across the system. The circuit breaker pattern isolates failures, allowing the rest of the SOC to continue operating while the unhealthy agent recovers.
Dispatching Manual Tasks
From the expanded Agent Fleet panel, operators with the agents:assign permission can manually dispatch tasks:
- Expand the target agent card.
- Enter the task prompt in the Manual Assignment panel.
- Optionally choose a preferred site.
- Optionally pin the task to a specific live replica.
- Set the dispatch priority.
- Click Dispatch Task to queue the assignment.
The assignment is persisted immediately, then picked up by the task worker. The recent queue section refreshes automatically so you can confirm whether the task remains queued, has been dispatched, completed successfully, or failed.
Users without agents:assign can still expand fleet cards and inspect replica health and queue state, but the manual dispatch form remains read-only.