Common SOC Workflows

This page provides plain-language, step-by-step playbooks for the most common AuroraSOC tasks.

When to Use This Page

Use this page when your question starts with:

• "How do I triage this alert quickly?"
• "How do I turn an alert into a managed case?"
• "How do I execute response safely with approval controls?"

Workflow 1: Triage a New Critical Alert

Goal

Decide whether an alert is false positive, monitoring-only, or requires immediate response.

Steps

1. Go to Alerts Management.
2. Filter to severity=critical and status=new.
3. Open the alert detail and read context, source, and IOCs.
4. Trigger AI investigation and wait for results.
5. Update alert status:
   • triaged if no immediate action is needed
   • investigating if deeper analysis is required
   • contained if response action has started

Common mistakes

• Closing alerts before reviewing timeline evidence
• Ignoring correlated CPS/IoT events on mixed IT/OT incidents

Workflow 2: Convert Alert to Incident Case

Goal

Track ownership, timeline, and resolution in one place.

Steps

1. From the alert detail, create or link to a case.
2. Set severity, assign owner, and add summary context.
3. Add investigation findings as timeline entries.
4. Track every response step until closure.
5. Generate report and close case with resolution notes.

Related: Case Management, SOAR Playbooks

Workflow 3: Run Response with Approval Guardrails

Dry Run First

1. Open a relevant playbook in SOAR Playbooks.
2. Execute in dry run mode.
3. Review expected side effects and impacted assets.
4. Proceed to approved execution if outcomes are acceptable.

Approved Execution

1. Submit approval request for high-risk actions.
2. Wait for decision in approvals stream.
3. Execute once approved.
4. Record results in case timeline.

Workflow 4: Investigate Endpoint or Device Risk

Endpoint path

1. Open EDR Endpoints.
2. Filter for unhealthy or high-risk endpoints.
3. Trigger scan and review process/network indicators.

CPS/IoT path

1. Open CPS/IoT Devices.
2. Review attestation status and firmware trust state.
3. Escalate compromised or untrusted devices into case workflow.

Workflow Validation Checklist

Use this quick checklist after executing any workflow:

1. Alert/case status transitions are recorded correctly.
2. Timeline includes all key analyst and agent actions.
3. Required approvals are linked to executed actions.
4. Final resolution note includes rationale and next steps.

Suggested SLA Targets

Workflow Stage	Suggested Target
Initial critical alert triage	5-15 minutes
Convert alert to case	< 10 minutes after triage
Approval decision for high-risk actions	< 30 minutes
Case closure note completion	Within 1 hour of final action

Troubleshooting Quick Hits

Investigation button is disabled

Likely cause: role lacks investigation:trigger permission.

AI results are delayed

Likely cause: worker backlog or agent endpoint timeout.

Playbook cannot execute

Likely cause: approval pending, disabled playbook, or permission mismatch.

Related Pages

• Dashboard Overview
• Alerts Management
• Case Management
• Human-in-the-Loop
• Developer REST API