Network Command Center
The Network Command Center is the human-in-the-loop (HITL) surface for network-detected attacks. It is the only dashboard page where an analyst can approve or deny an automated playbook execution against a network attack.
The page lives at /network-attacks in the dashboard (default
http://localhost:3100/network-attacks).
What It Shows
| Section | Purpose |
|---|---|
| Attack list | Filterable cards for every persisted network attack. Each card has an explicit Inspect / Focused control. |
| Attack Flow | Visualises the focused attack's sequence and lateral movement. |
| Attack Intelligence | Reasoning trail, IOC chips, telemetry source/family, sample events, and case/alert linkage. |
| Critical Approval Queue | Pending playbook approvals routed to the network surface. Visible only to users with the approvals:manage permission. |
| Dispatch panel | Sends the focused attack to a specialist agent with an analyst-editable prompt and priority. |
HITL Approval Loop
- A network detection produces an attack record and (optionally) a pending
execute_playbookapproval. - An analyst with
approvals:manageopens/network-attacksand selects the attack from the list. - The Critical Approval Queue panel surfaces the pending decision. The analyst reviews the Attack Intelligence reasoning trail and IOCs alongside the approval payload before deciding.
- Approve runs
decideApproval()followed byexecutePlaybook(playbook_id, { approval_id })— the SOAR-side execution is gated on the recorded decision id. - Deny records the decision with the reason
Denied from Network Command Center. No playbook is executed.
The reason string for both branches is fixed (Approved from Network Command Center or Denied from Network Command Center) so audit logs can be filtered
by surface.
Dispatching to a Specialist Agent
The dispatch panel queues the focused attack to a specialist (default
NetworkAnalyzer) via /api/v1/network-attacks/{attack_id}/dispatch. The most
recent receipt is persisted on the attack record under
telemetry.latest_dispatch_receipt so the assignment survives reloads.
The receipt deep-links into the agents queue:
selectedAgent— the agent that received the task.selectedTask— the queuedtask_id.agentTab— opens the agents page on the right tab.backToAttack— round-trip link back to the originating attack.
Live-Read Degraded Mode
If the dashboard is in dry-run or live-read-unavailable mode and the database is not reachable, the page surfaces an explicit notice:
Network Command Center reads require a live database in dry-run mode. Restore the database connection or switch to dummy mode for showcase-only use.
In that state the Critical Approval Queue is hidden — denying or approving an approval requires a live database round-trip and is never simulated.
Required Permissions
| Action | Permission |
|---|---|
| Read attacks, intelligence, dispatch | Any authenticated session |
| See and act on the Critical Approval Queue | approvals:manage |
| Execute the resulting playbook | playbooks:execute (enforced server-side after approval) |
Without approvals:manage the approval panel is hidden entirely — the rest of
the page still works for read-only investigation.