0 · Signing in & roles
The console opens with a sign-in screen. When you run the file on your computer it uses a local demo directory (default administrator admin / admin); when it is hosted on Azure it automatically switches to Microsoft Entra ID single sign-on. The Access Management screen always shows which mode is active — you never have to guess.
There are two roles. An Analyst sees the daily workflow — Operations Overview, Alert Triage, Threat Hunting, Case Management, AI Governance and Helios. An Administrator also sees Detection Coverage, System Layers, the Platform tools, Reports, and the Administration screens (Configuration Editors and Access Management). Use the user menu at the top-right to log out and sign back in as a different user. Managing users lives under Access Management (administrator only).
1 · Get data in
Open Data Sources & Ingestion. Two paths, both real:
- API integration — choose a source type, paste an endpoint that returns JSON, and Connect & fetch. The console performs a real HTTP request; set an interval and toggle Auto-refresh for real-time monitoring. (Your API/CORS must permit the request — see the note below.)
- Manual upload — drop a CSV or JSON export. Use Download blank template to get the exact header schema for each dataset.
Load order that gives the richest context: AssetInventory → MaintenanceWindows → ContextCatalogue → Events. Watchlists can be loaded after events too — the queue re-scores automatically.
2 · Field mapping
Events accept these fields (common aliases tolerated):
TimeGenerated | EventSource(IT/OT) | DeviceRef(hostname)
DeviceId | Severity(Critical/High/Medium/Low) | EventDetail
# optional pre-scored: ContextScore, Disposition
AssetInventory: DeviceId,Hostname,AssetRole,CriticalityTier,OwningSector,SiteCode,Vendor,Protocol
MaintenanceWindows: WindowId,SiteCode,OwningSector,StartTime,EndTime,WindowType,Description,ApprovedBy
ContextCatalogue: ContextId,DeviceId,ChangeType,ChangeTimestamp,ChangedBy,ChangeDetail
Explanations (CAFI_Explanations_CL): DeviceRef,AnomalyScore,NarrativeSummary,PivotSteps,Driver1_Feature,Driver1_SHAPValue …
AI usage (CASB/DLP feed): TimeGenerated,UserId,Department,AITool,Endpoint,Action,DataClassification,SensitiveDetected,Logged,Detail
Approved AI tools: AITool,Vendor,Status,Endpoint,Notes · Controlled endpoints: Endpoint,Type,Controlled,Gateway
AI Governance (L2·L5). CAFI SecOps enforces four AI policies — approved tools only, no sensitive data in prompts, all usage logged, controlled endpoints. Upstream CASB (Defender for Cloud Apps) and DLP (Purview) block in-line; this console evaluates the policy, runs the cafi-ai-dlp-response playbook (block session, disable account temporarily, notify) and keeps the audit trail. The built-in Helios assistant is enforced directly: every prompt is screened for sensitive content before it can be sent, and each call is logged on the AI Governance view.
SOC operations (L2–L5). Four operational surfaces sit on the same six layers.
Detection Coverage — a live MITRE ATT&CK heat map over the five priority tactics, computed from the enabled detection-as-code rule set (toggle a rule and coverage recomputes); drift is tracked across cycles (history simulated, current point live) and analyst false-positive feedback counts against the matched rule.
Threat Hunting — six documented hypotheses run as real queries over the loaded events and AI-usage feed; hunts auto-run on load for a continuous cadence and every run is logged with a MITRE-mapped outcome.
Case Management — every Escalate/Investigate disposition becomes a searchable case with one evidence timeline (detect → score → explain → respond → audit); overrides and false-positive marks always require a typed rationale, which is logged.
Autonomy & Guardrails — the five-level maturity model (AML 0–4) with the console's current AM level per SOC task, plus the never-autonomous registry (production shutdown, legal notification, cross-environment containment, VIP accounts, OT Class C) enforced in the playbook approval flow. The 7 KPI benchmarks on the Overview state their basis honestly — each value is computed from live session data or marked as pending.
3 · Read & triage
- Overview — KPIs, disposition-coloured volume, the disposition donut, and Layer 2 join quality.
- Triage — ranked by context score. Click a row for the Layer 4 drawer: it looks up a matching CAFI_Explanations_CL record and shows its SHAP drivers + pivot steps. If none exists, it states so (exactly like the Layer 4 playbook's no-record branch) — nothing is fabricated.
Disposition thresholds: Escalate ≥70 Investigate ≥40 Monitor ≥15 Suppress <15
4 · Act
ML & Federation renders from your fed-audit export. SOAR lets you exercise the Class B approval gate on a selected escalation; actions are logged to the session run log.
5 · Reports & Export
Open Reports & Export from the sidebar (Administrator only) once you have loaded data. Everything here reads live from the current session — nothing is cached, so refresh your data first for the most current picture.
- Security Report (HTML) — the primary deliverable. One click builds a formatted document covering the executive summary, data sources & the 25-connector catalogue (active/inactive by group), embedded dashboard graphs (disposition and IT/OT donuts, severity and context-status bars, federated convergence chart), the 7 KPI benchmarks, MITRE ATT&CK detection coverage by tactic, the full threat-hunting hypothesis table, a case register, the SOAR playbook roster with Class A/B/C designation, the AM Level autonomy table, AI governance (the Approved AI Tools allow-list, Controlled AI Endpoints, policy compliance and recent violations), an analysis section and prioritised recommendations. Open the downloaded file in any browser to read or print.
- CSV cards — one per dataset: Alert Queue, Escalations, Asset Inventory, Federation Audit, SOAR Run Log, Case Register, Approved AI Tools, AI Usage & Policy Violations, AI Governance Audit Log, and Hunt Findings. Each is greyed out with "No data" until that dataset has at least one record.
- Extract ALL reports — downloads the Security Report plus every populated CSV card in one action; your browser may ask permission for multiple downloads, allow it.
- Full data snapshot (JSON) — the complete session state, for backup or handoff to another session.
Anything you load via Manual Upload or a live API connection — including Approved AI Tools and Controlled Endpoints, which have their own upload types — flows straight into the Security Report and CSV exports the next time you generate them; there is no separate sync step.
6 · Helios — your AI cybersecurity assistant
What it is. Helios is a built-in AI-powered cybersecurity assistant for real-time threat detection, investigation, and response. It reads your live dashboard data and correlates every alert with MITRE ATT&CK techniques and CVE intelligence, then explains threats and recommends how to analyse and mitigate them. It can also explain any section of the app and guide you through using it.
How to open it. Click the gold ☀ Helios AI button in the top-right of the dashboard. Helios opens in a separate, movable window so your dashboard stays fully visible — drag it to a second monitor or beside the console. (If your browser blocks pop-ups, Helios opens as an in-page panel instead; allow pop-ups to get the separate window.)
How to use it. Type a question in the input box at the bottom, or tap a suggested prompt. Helios can:
- Summarise threats — “what's happening / identify threats”.
- Analyse an alert — name a device (e.g.
plc-reactor-01), or click ☀ Ask Helios to analyse inside any alert's detail drawer.
- Recommend mitigations — “how do I respond?” (it flags OT assets as manual Class-C only).
- Look up intel — a MITRE ID like
T1078 or a CVE like CVE-2019-0708.
- Explain the app / guide you — “explain the Triage view”, “how do I export a report?”.
Automatic incident recognition. While Helios is open, any new escalation that arrives (via upload, API fetch, or auto-refresh) is recognised automatically — Helios posts a flagged incident card with its MITRE/CVE mapping and a recommended response, so you don't have to ask.
Clear & save your chat. The toolbar under the Helios header has Clear chat (starts a fresh conversation) and Save chat, which downloads a .doc Word transcript. Handy for attaching an analysis trail to an incident record or your defense pack.
How to add a live model (optional). By default Helios runs on a built-in, offline analyst that needs no key and always works. To use a live model instead:
- Open Helios and click the ⚙ Model Settings badge (top-right of the Helios window).
- Choose a Provider from the dropdown — OpenAI, Claude (Anthropic), Google Gemini, xAI Grok, Mistral, or Customize for a manual URL. The endpoint is filled in automatically (Customize lets you paste your own).
- Enter the model / deployment name and your API key, then click Save & connect — the badge turns green (● Model Settings, live). If the model is ever unreachable, Helios falls back to the built-in analyst automatically. Your key is stored only in your browser.
CORS / connectivity: a browser opened from file:// can only fetch APIs (including a live Helios model) that send permissive CORS headers. For staging tests, serve the file over your test host or front the API with a gateway that allows the origin. Upload and the built-in Helios analyst always work offline.
7 · Administrator configuration
Administrators can configure the console without editing code, under the Administration group:
- Configuration Editors — add, edit or remove detection rules, threat-hunt hypotheses, SOAR playbooks, never-autonomous guardrails, and connector integrations. Add / Remove APIs multi-selects from the fixed 25-API catalogue (or add a Custom API); changes sync live to L1 Ingestion Connectors and the API Integration source-type list. Changes apply immediately and are saved in your browser, so they persist when you reopen the file locally.
- Access Management — one merged screen. Authentication toggles Local User Authentication or Federated Microsoft Entra ID SSO (with the Tenant ID, Client ID, redirect URLs, role claim and scopes configurable here — the client secret is backend-only, never in the console); Users lets you create and delete local accounts and assign the Analyst or Administrator role (Reset to default admin clears the directory back to one admin account); Signed-in Identity and the Role → Capability map show the current session and what each role can do. In production the two roles map to the Entra security groups CAFI-SOC-Analysts and CAFI-SOC-Administrators.