Alerts Management

The Alerts page is the primary workspace for security analysts, providing real-time visibility into all security events detected by AuroraSOC's multi-source ingestion pipeline.

Alert Lifecycle

Status Definitions

Status	Description	Who Sets It
NEW	Just ingested, not yet triaged	System (Rust normalizer)
TRIAGED	AI agent has assessed severity and category	Security Analyst agent
INVESTIGATING	Human or AI actively investigating	Analyst / Orchestrator
ESCALATED	Requires senior analyst or incident response	Analyst / Threshold rule
RESOLVED	Root cause identified, remediated or false positive	Analyst / Playbook
FALSE_POSITIVE	Confirmed benign or expected behavior captured as a detection outcome	Analyst / Detection feedback loop

Alert Table

The main alert table displays:

Column	Description
Severity	Color-coded badge (Critical/High/Medium/Low)
Title	Descriptive alert title
Source	Origin system (Suricata, Wazuh, Velociraptor, etc.)
MITRE ATT&CK	Mapped technique ID(s)
Status	Current lifecycle state
Created	Timestamp of first detection
Actions	View, acknowledge, create linked case, link to an existing case

Filtering and Search

Use the filter bar to narrow alerts:

Severity filter — Click severity badges to toggle
Status filter — Show only specific states
Date range — Custom time window
Search — Free-text search across title and description

Bulk Operations

Select multiple alerts using checkboxes for bulk actions:

Bulk Resolve — Mark selected as resolved
Bulk Escalate — Escalate selected to incident response
Create Case — Group related alerts into a single case

Runtime Mode Truth

The Alerts workspace now reads runtime truth from GET /api/v1/system/mode before operators act on the queue.

In dummy, the page labels the queue as showcase data and keeps acknowledge, case promotion, case linking, and agent dispatch in preview-only mode.
In dry_run, the page reads the live alert queue when the database is available, but acknowledge, promotion, linking, and dispatch actions still return preview results instead of mutating state.
In real, the alert queue is live and those same actions persist to the platform.

This is intentional. The table can look operational in every mode, but the effect of the action buttons changes with runtime mode and should be visible before the analyst clicks.

Degraded Live-Read Behavior

When AuroraSOC is running in dry_run or real without a database connection, the Alerts page stays available as a recovery surface instead of collapsing into a misleading empty queue.

In this degraded mode:

KPI cards switch to unavailable placeholders instead of showing zero alerts
Search and filter controls become read-only until live reads return
The queue body switches to a Live alert queue unavailable recovery card
The page exposes a direct Review runtime settings path back to Settings
Any pinned alert detail is cleared so stale triage data is not left onscreen

Restore the database connection for live alert reads, or switch to dummy mode if you only need showcase workflow walkthroughs while the database is offline.

Alert Detail View

Clicking an alert opens its detail pane:

Triage to IMS Workflow

The alert detail dialog is now the starting point for incident management:

Acknowledge moves the alert to TRIAGED
Create Linked Case promotes the alert into a new case and links it immediately
Link Existing Case attaches the alert to an already-open investigation
Linked Case metadata is shown directly in the alert detail pane so analysts can confirm handoff state without leaving triage

Deep Links From SIEM

AuroraSOC now supports case-aware deep links from the SIEM workspace into alert triage.

SIEM promotions open /alerts?selectedAlert=<id> so the matching alert dialog opens immediately.
Closing the dialog clears the route parameter to return the analyst to the normal table view.
Detection feedback recorded from the SIEM workspace can mark the linked alert as FALSE_POSITIVE, preserving the analyst verdict on both the alert and the originating detection rule.

Overview Tab

Full alert description with raw event data
Extracted IOCs (IP addresses, domains, hashes, emails)
MITRE ATT&CK technique mapping with kill chain phases

Investigation Tab

When an AI investigation has been run:

Agent Reasoning — Step-by-step AI analysis
Correlated Events — Related alerts found by correlation
Recommended Actions — AI-suggested response steps

Timeline Tab

Chronological history of all actions taken:

Alert created
Agent triage performed
Status changes
Analyst comments
Playbook executions

Deduplication

AuroraSOC automatically deduplicates alerts using SHA-256 hashes:

dedup_hash = SHA256(source + title + mitre_techniques)

When a duplicate arrives within the dedup window (configurable, default 15 minutes), the existing alert's count increments rather than creating a new entry. This is why you may see a Count column showing values greater than 1.

Investigation Workflow

The fastest workflow: Filter by Critical + NEW → Review top alerts → Acknowledge the alert → Create or link a case from the alert detail pane → continue evidence, notes, and tasks in the Cases workspace.

Triggering AI Investigation

From any alert, click the Investigate button to:

Alert is sent to the Orchestrator agent
Orchestrator dispatches to Security Analyst for initial assessment
If IOCs found → Threat Intel agent enriches them
If network indicators → Network Security agent analyzes flows
If endpoint indicators → EDR / Endpoint Security agent scans
Results compiled into structured investigation report
Alert status updated to INVESTIGATING

The investigation runs asynchronously—you'll see real-time progress via the WebSocket agent-thoughts stream.

Alert Lifecycle​

Status Definitions​

Alert Table​

Filtering and Search​

Bulk Operations​

Runtime Mode Truth​

Degraded Live-Read Behavior​

Alert Detail View​

Triage to IMS Workflow​

Deep Links From SIEM​

Overview Tab​

Investigation Tab​

Timeline Tab​

Deduplication​

Triggering AI Investigation​