Network Command Center

The Network Command Center is the operator workspace for correlated network attacks, telemetry-source health, detector coverage, and agentic follow-up. It is the fastest way to answer four questions during network triage:

Which attacks need attention first?
Which telemetry source produced the detection?
Is the evidence strong enough for autonomous case creation or analyst review?
Should an investigation agent be queued immediately?

When to Use This Page

Use this page when you need to:

Prioritize high-confidence network attacks that already have correlated telemetry
Inspect the supporting flow, DNS, IDS, or PCAP evidence for one attack
Confirm whether a telemetry source is healthy, stale, or erroring
Review detector coverage before tuning thresholds or onboarding a new feed
Create a case or dispatch an investigation agent without leaving the network workspace

Main Panels

Attack Queue

The top of the page highlights:

Critical attack pressure
High-severity escalation candidates
Autonomous case creation volume
Average confidence across the visible attack set
Live A2A reachability for the orchestrator and network-first investigation agents

Use the severity, category, and telemetry-family filters to narrow the queue before choosing a focused attack.

The Autonomous Agent Mesh panel is database-independent. It probes the orchestrator and specialist A2A /health endpoints, shows the shared model tag, and keeps the network-priority agents visible even when live network reads are degraded.

The Critical Approval Queue sits next to the mesh panel. Operators with approval permissions can review pending high-risk actions, approve or deny them, and start an approved critical playbook without leaving the network workspace. When live database reads are unavailable, the panel stays visible but reports that the approval queue also needs the live database.

The Autonomous Investigation Activity panel turns the latest dispatch and investigation receipts from the visible attack queue into a network-wide task stream. It shows active, review-required, and completed agent work, keeps each row linked to the focused attack, and provides a direct queue pivot for the underlying agent assignment.

Focused Attack Workspace

Selecting an attack opens the detailed workspace on the right side of the page. This section combines:

Attack intelligence and reasoning trail
Linked case and alert pivots
Dispatch receipts for both queue acceptance and the latest structured investigation outcome
The same receipt lifecycle summarized in the page-wide autonomous activity stream
Telemetry evidence from the correlated attack record
Manual dispatch controls for active agents

The telemetry evidence panel now surfaces:

Captured telemetry family, source, event volume, and digest
Review posture, including whether analyst review is required
Supporting flow, DNS, IDS, and PCAP evidence when present
Supporting references and retained sample events

Telemetry Operations

Source Health

The Telemetry Source Health panel shows the strongest sources in the current result set and summarizes:

Health state
Event and detection counts
Case and alert creation totals
Parser failures
Last ingest and last seen times

Selecting a source filters the attack list to the same telemetry family and source so operators can validate whether the source is producing useful detections.

The source pivot is URL-backed. When you select a source, the command center keeps the telemetry family and exact source in the page URL so the drill-down can be refreshed, bookmarked, or shared directly with another operator.

Detector Coverage

The Detector Coverage panel summarizes which telemetry families are enabled and how the deployment is configured for:

Auto-case creation
Minimum severity for default case creation
Source staleness windows

Use this panel before changing thresholds or rollout plans so operators can understand whether missing detections come from ingestion, coverage, or workload mix.

When AuroraSOC is running in a live-read mode without a database connection, both telemetry panels stay visible but switch to explicit degraded messages that call out the live-database requirement instead of showing placeholder metrics. The telemetry health summary counters and KPI cards also switch from misleading zeros to unavailable placeholders, the telemetry/severity/category filter chips become read-only with inline guidance, Detector Coverage keeps its own database-required message, and the timeline, source drill-down, plus attack-intelligence workspace explain that live reads are offline instead of presenting generic empty states.

Common Tasks

Create a linked case

Select the attack from the queue.
Review the telemetry evidence and attack summary.
Click Create case.
Open the linked case to continue evidence collection and workflow tracking.

Queue an investigation agent

Select the focused attack.
Open the Dispatch Investigation Agent section.
Choose an active agent and adjust the prompt or priority.
Queue the investigation.
Use Open queue to jump directly to the agent assignment view.

When the live agent result returns, the same focused attack panel now keeps a second receipt that summarizes:

the structured investigation summary
the strongest returned findings
recommended next steps
confidence outcome and review posture
the agent reasoning trail (per-step tool + result, capped at the most recent six steps) so analysts can see how the agent moved from observation to recommendation without opening the underlying assignment

This makes it possible to confirm that the queued follow-up actually came back and was written into the linked case workflow without leaving the command center.

These receipt cards now refresh live from AuroraSOC's investigation receipt stream, so operators no longer need to reload the page or wait for the background polling interval to see the returned summary.

The Autonomous Investigation Activity panel uses the same live receipt updates, but summarizes the latest work across the visible network queue instead of only the selected attack. Active rows show queued or processing work, review rows call out analyst-review reasons, and completed rows retain the returned summary so operators can confirm which network investigations finished without opening each attack one by one.

When runtime truth reports that live reads are unavailable, the command center does not open the receipt stream. This keeps degraded dry-run sessions quiet and avoids websocket authorization noise while the page is already telling the operator that database-backed network reads need recovery.

Pivot from source health to the exact attack queue

Select a source in Telemetry Source Health.
Review the Source Drill-down panel for recent activity, parser health, and attack mix.
Click a related detection to make that attack the focused record.
Use Clear source focus to return to the wider telemetry-family queue.

Pivot to manual hunting

If the attack needs broader hunting or fresh analysis, use Open analyzer in the page header. The analyzer opens with the current command-center context imported into its query box, including the focused attack or telemetry source when available. When live reads are unavailable, the handoff switches to a recovery-focused query instead of referencing a nonexistent active queue, and the analyzer keeps its KPI and findings surfaces in an explicit unavailable state until live reads return. The analyzer remains the manual hunt surface for additional packet review and on-demand network analysis. See Network Analyzer for the dedicated operator guide.

Permissions

Users with agents:assign can queue a follow-up investigation from the focused attack panel.
Users with approvals:manage can approve or deny critical human-in-the-loop actions from the Critical Approval Queue.
Users without agents:assign can still review evidence, source health, coverage, and linked cases.

Troubleshooting

I can see attacks, but telemetry health says unavailable

The attack queue and the telemetry health endpoints are loaded separately. This usually means the detection records are available, but one of the telemetry status or coverage APIs is degraded.

The page says live network reads are unavailable

In dry_run and real modes, AuroraSOC does not substitute showcase data when the database is offline. The command center keeps its degraded telemetry panels and analyzer handoff visible, but the queue switches to a Live network reads unavailable card, the filter chips become read-only, and the page links operators to Review runtime settings instead of settling into an ambiguous empty queue. This guidance appears as soon as runtime mode reports that live reads are unavailable, so operators do not need to wait for repeated telemetry failures before they get a clear next step. Restore the database connection for live reads, or switch to dummy mode if you need showcase-only data.

I do not see flow or DNS evidence for an attack

Some attack records only retain the correlation metadata and a small event sample. Use the linked case, source drill-down, or the Network Analyzer page for deeper evidence collection.

The page says analyst review is required

Check the review posture badges and reasons first. These indicate why the attack was held for an operator instead of being treated as fully autonomous.

When to Use This Page​

Main Panels​

Attack Queue​

Focused Attack Workspace​

Telemetry Operations​

Source Health​

Detector Coverage​

Common Tasks​

Create a linked case​

Queue an investigation agent​

Pivot from source health to the exact attack queue​

Pivot to manual hunting​

Permissions​

Troubleshooting​

I can see attacks, but telemetry health says unavailable​

The page says live network reads are unavailable​

I do not see flow or DNS evidence for an attack​

The page says analyst review is required​

Related Pages​