Network Analyzer

The Network Analyzer is AuroraSOC's read-only network hunting workspace. Use it when you want flow, DNS, IOC, and reasoning output from the dedicated network-analysis agent without triggering any blocking, isolation, firewall, or containment action.

When to Use This Page

Use this page when you need to:

Run a manual network investigation query over recent traffic
Continue a hunt that started in the Network Command Center
Review AI-generated network findings, evidence, recommendations, and reasoning
Queue a follow-up task to another agent while keeping the analyzer itself read-only
Validate why live network reads are degraded before resuming manual hunting

Main Panels

Imported Context Banner

When the page is opened from the Network Command Center, the analyzer imports the current command context into the query box and shows a banner with:

Attack title when a focused attack was selected
Telemetry family and telemetry source when those pivots were available
Imported severity and time-window context
A shortcut back to the command center

When the Network Command Center is in degraded live-read mode, the same banner switches to recovery-context wording so operators can see that the handoff is about restoring visibility rather than investigating a currently loaded attack queue.

Use Use imported query to reset the query box to the command-center handoff prompt after making manual edits.

KPI Row

The top KPI cards summarize the current result set:

Critical findings
High-severity findings
Extracted IOCs
Total flows analyzed

These cards reflect the visible findings list, not a separate background summary job.

Agent Status

When live reads are available, the Agent Status card shows the analyzer runtime state, including:

Current status
Model
Runtime mode
Completed analyses
Capabilities and restrictions

This section is intentionally absent when the analyzer cannot read live data.

Run Analysis

The query box is the main manual hunting surface. Operators can:

Enter a freeform hunting question
Press Analyze to run a read-only investigation
Reuse imported command-center context
Keep the current hunt constrained to the imported time range and focus area when applicable

The analyzer is strictly observational. It returns findings and recommendations but does not perform active response.

Findings List

Each finding card can be expanded to review:

Severity and confidence
Risk assessment
Flow analysis metrics
DNS analysis metrics
Extracted IOCs
Recommendations
Agent reasoning steps
Timestamp and analysis ID

Operators with agents:assign can also queue a follow-up investigation to another active agent from the expanded finding card.

Common Tasks

Continue a hunt from the Network Command Center

Open Open analyzer from the Network Command Center header.
Review the imported context banner.
Use the imported query as-is or edit it into a broader hunt.
Run analysis and review the resulting findings.
Return to the command center if you need to pivot back to the correlated attack queue.

Run a manual network investigation

Enter a hunting query in Run Analysis.
Click Analyze.
Expand relevant findings to inspect flow, DNS, IOC, and reasoning detail.
Apply the severity filter to narrow the current findings set.

Queue a follow-up agent task

Expand a finding card.
Open Dispatch Follow-Up Agent.
Choose an active agent.
Adjust the prompt or priority.
Queue the follow-up task.

Permissions

Users with agents:assign can queue follow-up tasks from individual findings.
Users without agents:assign can still run read-only analysis and inspect findings.

Degraded Live-Read Behavior

When AuroraSOC is running in a live-read mode without a database connection, the Network Analyzer stays available as a documented recovery surface instead of failing into ambiguous empty states.

In this degraded mode:

The imported query can switch to a recovery-focused prompt when the page is opened from the Network Command Center
The imported-context banner and scope line switch to recovery wording instead of focused-attack wording
KPI cards show unavailable placeholders instead of misleading zeroes
The manual query input and Analyze action are disabled
Severity filters are disabled with inline guidance because there is no live result set to filter
The degraded findings state includes a direct Review runtime settings shortcut
The page shows an explicit live-read unavailable message instead of raw fetch failures or dispatch toasts

Restore the database connection for live reads, or switch to dummy mode if you need showcase-only dashboard data.

Troubleshooting

The page says live analysis is unavailable

The analyzer reads from live backend data in dry_run and real modes. If the backing database is unavailable, the page stays in a degraded recovery state until connectivity returns.

The imported query does not mention the current attack queue

This is expected when the Network Command Center itself is in degraded live-read mode. The handoff changes to a recovery-oriented query so the analyzer does not imply that a live queue is available when it is not.

I do not see a dispatch form on a finding

The dispatch controls require the agents:assign permission.

When to Use This Page​

Main Panels​

Imported Context Banner​

KPI Row​

Agent Status​

Run Analysis​

Findings List​

Common Tasks​

Continue a hunt from the Network Command Center​

Run a manual network investigation​

Queue a follow-up agent task​

Permissions​

Degraded Live-Read Behavior​

Troubleshooting​

The page says live analysis is unavailable​

The imported query does not mention the current attack queue​

I do not see a dispatch form on a finding​

Related Pages​