Dashboards and Reports

dashboards dashboards provide real time visibility into soc operations through interactive widgets use dashboards to monitor current state, identify trends, and quickly access records requiring attention the ai soc solution package includes at least signal triage , cases , and routing rule management dashboards depending on your package version, an ai soc dashboard (high level overview) may also be present ai soc dashboard the ai soc dashboard gives a high level view of signal flow, ai driven case closure, and top mitre att\&ck activity use the header controls ( all filters , today so far , + add a card ) to filter by time range and add or customize widgets widgets typically included ai soc sankey — shows the flow of signals from source (for example, siem) through processing stages to final classification (suspicious, benign, malicious, or no value) use it to see volume and distribution across the pipeline ai soc cases auto closed by ai — circular gauge showing the proportion of cases automatically closed by ai (for example, status and percentage) use it to track ai assisted resolution ai soc top mitre att\&ck — horizontal bar chart of the most frequent mitre att\&ck tactics or techniques use it to identify prevalent attack patterns location navigate to dashboards → ai soc dashboard (or the equivalent name in your environment) signal triage dashboard the signal triage dashboard is the primary operational dashboard for daily soc activities it provides a comprehensive view of signal status, priority, and verdicts location navigate to dashboards → signal triage widgets included signals by status purpose shows distribution of signals across workflow states (new, in progress, resolved, and so on ) when to use monitor workflow health and identify bottlenecks action click any status to filter and view signals in that state best practice review daily to ensure signals are progressing through workflow stages signals by priority purpose displays signal count by priority level (low, medium, high, critical) when to use assess workload distribution and identify high priority backlogs action click a priority level to see all signals at that priority best practice ensure critical signals are being addressed promptly signals requiring attention purpose lists signals that need analyst action (exceeded sla, high severity, and so on ) when to use daily triage to identify signals needing immediate review action click to open the signal list filtered to records requiring attention best practice review at the start of each shift malicious & critical purpose highlights signals with malicious verdicts and critical severity when to use identify confirmed threats requiring immediate response action click to view all malicious critical signals best practice monitor continuously for active threats signals blocked purpose shows signals that are blocked or waiting on dependencies when to use identify signals stuck in workflow action review blocked signals to determine if action is needed best practice check regularly to prevent signals from being forgotten threat intel verdicts purpose distribution of threat intelligence verdicts across signals when to use assess enrichment effectiveness and threat landscape action click a verdict type to filter signals by ti verdict best practice monitor for changes in threat patterns ai verdicts purpose shows distribution of hero ai generated verdicts when to use track ai analysis coverage and verdict patterns action click a verdict to see signals with that ai verdict best practice compare ai verdicts with manual verdicts to assess accuracy signals oldest purpose lists signals that have been open the longest when to use identify stale signals that may need attention or closure action click to review oldest signals and determine next steps best practice review weekly to prevent signal backlog signals intel verdicts & severity purpose cross reference of threat intelligence verdicts with signal severity when to use identify high severity signals with malicious ti verdicts action focus on high severity + malicious ti combinations best practice use for prioritization during high volume periods customizing the dashboard add or remove widgets based on your team's priorities rearrange widgets to match your workflow create team specific dashboard views for different roles cases dashboard the cases dashboard provides visibility into case management operations and case lifecycle location navigate to dashboards → cases widgets included cases by status purpose shows case distribution across statuses (new, in progress, mitigated, resolved, and so on ) when to use monitor case workflow and identify cases needing attention action click a status to view all cases in that state best practice track case resolution rates and identify bottlenecks cases by priority purpose displays case count by priority level when to use assess case workload and prioritize resources action click a priority to filter cases best practice ensure critical cases are progressing case oldest purpose lists cases that have been open the longest when to use identify cases that may be stuck or need escalation action review oldest cases to determine if additional resources are needed best practice review weekly to prevent case aging cases requiring attention purpose highlights cases that need immediate analyst action when to use daily case triage to identify urgent items action click to view cases requiring attention best practice review at shift start and throughout the day customizing the dashboard add widgets for case specific metrics (time to resolution, escalation rates) include widgets for case to signal ratios create views filtered by case owner or organization routing rule management dashboard the routing rule management dashboard helps administrators monitor and optimize signal routing rules location navigate to dashboards → routing rule management widgets included routing rule mgmt widget purpose provides overview of routing rule performance and matches when to use monitor rule effectiveness and identify rules needing adjustment action review rule match counts and adjust rules as needed add new rule use add new rule to create a new routing rule from the widget reordering use the drag handle in the order column to reorder rules by drag and drop and change evaluation order open rule or playbook use the icon next to the associated playbook name to open the playbook, or the edit icon on a row to open the triage rule for editing manual run use run rule against pending signals to run the selected rule against signals that are pending routing expand records matched to see which signals were matched by the rule best practice review weekly to optimize routing logic key metrics to monitor number of rules enabled vs disabled rules with highest match counts rules with no recent matches (may need updating or removal) rule execution errors or failures reports reports provide detailed, filterable views of signals, cases, and soc metrics use reports for analysis, auditing, and generating insights beyond real time dashboards signal reports signals new purpose lists all new signals that haven't been claimed or started when to use daily triage to identify unworked signals filters use filters to narrow by source, severity, or organization best practice review at shift start to claim signals for investigation signals in progress purpose shows signals currently being investigated when to use monitor active investigations and workload distribution filters filter by owner, priority, or severity best practice use to balance workload across analysts signals blocked purpose lists signals that are blocked or waiting on dependencies when to use identify signals that need unblocking or escalation filters filter by blocking reason or owner best practice review daily to prevent signals from being forgotten signals elevated to case purpose shows signals that have been escalated to cases when to use track escalation patterns and case creation filters filter by escalation date, case status, or signal type best practice monitor escalation rates to identify trends signals high severity purpose lists all high severity signals when to use prioritize high severity investigations filters filter by status, verdict, or owner best practice ensure high severity signals are being addressed promptly signals critical severity purpose shows all critical severity signals when to use immediate triage for critical threats filters filter by status, verdict, or source best practice critical signals should be reviewed immediately signals malicious verdicts purpose lists signals with malicious verdicts (ai, manual, or ti) when to use focus on confirmed threats requiring response filters filter by severity, status, or escalation state best practice prioritize malicious verdicts for investigation and response signals suspicious verdicts purpose shows signals requiring further investigation when to use identify signals that need additional analysis filters filter by confidence level, severity, or age best practice review suspicious verdicts to determine if they should be escalated signals malicious & critical purpose combines malicious verdicts with critical severity when to use identify highest priority confirmed threats filters filter by source, organization, or owner best practice these signals require immediate attention signals suspicious & critical purpose shows suspicious verdicts with critical severity when to use prioritize high risk signals needing investigation filters filter by age, source, or enrichment status best practice investigate promptly to confirm or dismiss threats signals verdict & severity overall purpose cross tabulation of verdicts and severity levels when to use analyze verdict distribution patterns filters filter by time period, source, or organization best practice use for trend analysis and capacity planning signals ai verdicts purpose lists signals with hero ai generated verdicts when to use review ai analysis coverage and accuracy filters filter by confidence level, verdict type, or manual override best practice compare ai verdicts with manual verdicts to assess ai performance signals threat intel verdicts purpose shows signals with threat intelligence verdicts when to use assess ti enrichment coverage and effectiveness filters filter by ti provider, verdict type, or enrichment status best practice monitor ti verdict distribution to identify threat trends signals status purpose lists signals grouped by workflow status when to use monitor signal progression through workflow filters filter by status, priority, or time period best practice use to identify workflow bottlenecks signals severity purpose shows signals grouped by severity level when to use assess severity distribution and resource allocation filters filter by status, verdict, or source best practice ensure severity levels are set appropriately signals require attention purpose lists signals that need analyst action when to use daily triage to identify signals needing review filters filter by attention reason, priority, or owner best practice review at shift start and throughout the day signals ready for prioritization purpose shows signals that have been triaged but need priority assignment when to use identify signals waiting for priority determination filters filter by source, severity, or age best practice assign priorities promptly to maintain workflow signals priority purpose lists signals grouped by priority level when to use monitor priority distribution and workload filters filter by status, severity, or owner best practice ensure priorities reflect business impact signals oldest purpose shows signals ordered by creation date (oldest first) when to use identify stale signals that may need closure filters filter by status, priority, or source best practice review weekly to prevent signal backlog signals intel verdict & severity purpose cross reference of threat intelligence verdicts with severity when to use prioritize signals based on ti verdict and severity filters filter by ti provider, verdict type, or time period best practice focus on high severity signals with malicious ti verdicts case reports case requires attention purpose lists cases that need immediate analyst action when to use daily case triage filters filter by attention reason, priority, or owner best practice review at shift start case status purpose shows cases grouped by workflow status when to use monitor case progression and identify bottlenecks filters filter by status, priority, or time period best practice track case resolution rates case oldest purpose lists cases ordered by creation date (oldest first) when to use identify cases that may be stuck filters filter by status, priority, or owner best practice review weekly to prevent case aging cases priority purpose shows cases grouped by priority level when to use assess case workload and resource allocation filters filter by status, severity, or owner best practice ensure critical cases are progressing cases oldest purpose lists cases that have been open the longest when to use identify cases needing escalation or additional resources filters filter by status, priority, or organization best practice review weekly to prevent case backlog routing rule reports routing rule management purpose provides detailed view of routing rule performance when to use monitor rule effectiveness and optimize routing logic filters filter by rule status, match count, or rule order best practice review weekly to identify rules needing adjustment key metrics rules matched count rules with no matches (may need updating) rule execution errors rules by order and priority