Alerts Management
The Alerts page is the primary workspace for security analysts, providing real-time visibility into all security events detected by AuroraSOC's multi-source ingestion pipeline.
Alert Lifecycle
Status Definitions
| Status | Description | Who Sets It |
|---|---|---|
| NEW | Just ingested, not yet triaged | System (Rust normalizer) |
| TRIAGED | AI agent has assessed severity and category | Security Analyst agent |
| INVESTIGATING | Human or AI actively investigating | Analyst / Orchestrator |
| ESCALATED | Requires senior analyst or incident response | Analyst / Threshold rule |
| RESOLVED | Root cause identified, remediated or false positive | Analyst / Playbook |
Alert Table
The main alert table displays:
| Column | Description |
|---|---|
| Severity | Color-coded badge (Critical/High/Medium/Low) |
| Title | Descriptive alert title |
| Source | Origin system (Suricata, Wazuh, Velociraptor, etc.) |
| MITRE ATT&CK | Mapped technique ID(s) |
| Status | Current lifecycle state |
| Created | Timestamp of first detection |
| Actions | View, Investigate, Dismiss |
Filtering and Search
Use the filter bar to narrow alerts:
- Severity filter — Click severity badges to toggle
- Status filter — Show only specific states
- Date range — Custom time window
- Search — Free-text search across title and description
Bulk Operations
Select multiple alerts using checkboxes for bulk actions:
- Bulk Resolve — Mark selected as resolved
- Bulk Escalate — Escalate selected to incident response
- Create Case — Group related alerts into a single case
Alert Detail View
Clicking an alert opens its detail pane:
Overview Tab
- Full alert description with raw event data
- Extracted IOCs (IP addresses, domains, hashes, emails)
- MITRE ATT&CK technique mapping with kill chain phases
Investigation Tab
When an AI investigation has been run:
- Agent Reasoning — Step-by-step AI analysis
- Correlated Events — Related alerts found by correlation
- Recommended Actions — AI-suggested response steps
Timeline Tab
Chronological history of all actions taken:
- Alert created
- Agent triage performed
- Status changes
- Analyst comments
- Playbook executions
Deduplication
AuroraSOC automatically deduplicates alerts using SHA-256 hashes:
dedup_hash = SHA256(source + title + mitre_techniques)
When a duplicate arrives within the dedup window (configurable, default 15 minutes), the existing alert's count increments rather than creating a new entry. This is why you may see a Count column showing values greater than 1.
The fastest workflow: Filter by Critical + NEW → Review top alerts → Click Investigate to trigger AI agent analysis → Review agent findings → Resolve or Create Case.
Triggering AI Investigation
From any alert, click the Investigate button to:
- Alert is sent to the Orchestrator agent
- Orchestrator dispatches to Security Analyst for initial assessment
- If IOCs found → Threat Intel agent enriches them
- If network indicators → Network Security agent analyzes flows
- If endpoint indicators → EDR / Endpoint Security agent scans
- Results compiled into structured investigation report
- Alert status updated to INVESTIGATING
The investigation runs asynchronously—you'll see real-time progress via the WebSocket agent-thoughts stream.