CAFI SecOps

SOC Analyst Console — sign in
Local administrator default: admin / admin. Accounts are stored in this browser. When Federated Authentication (SSO) is enabled under Access Management, sign-in is handled by Microsoft Entra ID.

Add / Remove APIs

Select the APIs available to the console. Changes apply immediately to Connector Integrations, L1 Ingestion Connectors and the API Integration source-type list.

Definition

Operations Overview

Context-fused threat picture across IT & OT estate

Alert Volume — Fused Event Stream

L2by disposition
EscalateInvestigateMonitorSuppress

Disposition Mix

L2ContextualAlertScore

Severity Breakdown

Context Status

L2Layer 2 fusion

Ingestion Log

L1this session

Priority Queue — Top Dispositions

L2L4click a row for the Layer 4 explanation
TimeSourceDeviceTierSeverityContextScoreDisposition

AI SOC KPI Benchmarks — 7 Essentials

each value labelled real or pending
KPIBenchmarkCurrentStatusBasis
Dispositions are computed live by the ContextualAlertScore heuristic (Layer 2) against the watchlists you load: asset criticality, time-active maintenance windows, change events within the 48-hour lookback, the unknown-asset penalty, and raw severity. Pre-scored records (with their own Disposition/ContextScore) are trusted as-is.

Triage Queue

L2L4
TimeSourceDevice / DeviceIdTierSeverityContext StatusOp StateScoreDisposition
This console is the analyst-facing surface of the six-layer CAFI SecOps architecture. Every layer below is embedded in the app — the pipeline rail shows how data flows, and each card links straight to where that layer lives. Layer badges (L1L6) are shown on the relevant panels throughout the console. The SOC operations capabilities map onto the same layers — Detection Coverage (L2·L3), Threat Hunting (L3·L4), Case Management (L4·L5), Autonomy & Guardrails (L5) and AI Governance (L2·L5) are operational surfaces of these six layers, not additional layers.

End-to-end data flow

L1 → L6
L1IngestionSentinel · IoT · SyslogL2Context FusionContextualAlertScoreL3Anomaly MLIsolation ForestL4ExplainabilitySHAP driversL5SOAR ResponseApproval-gatedL6 · Federated OrchestratorFedAvg + Byzantine defence4 sector nodesoutcomes + labelsglobal model
Closed learning loop — L6 federates model updates across 4 sector nodes and returns an improved anomaly model to L3.
Connect a live source via the API panel, or upload your exported CSV/JSON. The console reaches a ready-to-use state the moment the first batch is ingested. Endpoints and credentials should resolve from cafi-keyvault — never paste raw secrets here. One ingest feeds every view: events drive Triage, Detection Coverage, Threat Hunting and Case Management; the AI usage feed drives AI Governance. The approved AI tools allow-list and controlled AI endpoints are maintained under Administration → Configuration Editors, not through Manual Upload. Data ingestion and connector configuration are administrator tasks; connector endpoints can also be edited under Administration → Configuration Editors, while the connectors themselves are wired to real services in Azure (see the production guide).

Layer 1 — Ingestion Connectors

L1live status

Loaded Data

L1session state

API Integration

L1real fetch
auto everys
Expected JSON: an array of records, or a Log Analytics {tables:[{columns,rows}]} response. Security event, identity, cloud, SaaS, ITSM and ChatOps sources are normalised into the event stream unless the source type is a watchlist, federation, explanation or AI governance feed. Field mapping is documented in the Usage Guide.

Manual Upload

L1CSV / JSON
Drop CSV or JSON here or click to browse

Asset Inventory — Context Watchlist

L20 assets
DeviceIdHostnameRoleTierSectorSiteVendorProtocol
Layers 3, 4 and 6 of the platform. Layer 3 runs an Isolation Forest that flags anomalous behaviour; Layer 4 uses SHAP to explain why each anomaly scored as it did (the drivers shown in the case timeline); Layer 6 trains the model across sector nodes with federated learning and a Byzantine defence, then loops the improved global model back into Layer 3. The chart below reads the fed-audit export — the global_offset per round is the global model's residual loss, so a falling curve means the federated model is converging. A red point marks a round where an outlier node update was rejected before aggregation. History is illustrative; the current values come from the data you load.

Federated Convergence — Global Offset

L6fed-audit

Sector Nodes

L6latest round

Anomaly Model — Configuration

L3Layer 3

Round Audit Log

L6fed-audit/
RoundGlobal offsetAcceptedRejected
Playbooks deploy in dry-run mode first. Class B actions (isolate endpoint, disable account, block IP, quarantine mailbox) require an approval gate. Class C OT actions (device isolation, safety-function override) are permanently manual-only and are never automated by this console.

Registered Playbooks

L5rg-cafi-soar

Containment Request

L5Class B · approval gate

Automation Run Log

L5this session
TimePlaybookTargetActionOutcome
Detection depth scoring aligned to MITRE ATT&CK. Coverage below is computed live from the enabled detection rule set against a curated technique universe for the five priority tactics. The heat map shows exactly where detections exist and where gaps remain. Rule history is simulated; the current coverage point, rule hits and false-positive feedback are real computations on loaded data.

ATT&CK Coverage Heat Map — Top 5 Risk Tactics

L2L3benchmark ≥90% technique · ≥80% sub-technique
Gap — no detectionCoveredCovered + observed in loaded events

Detection Rules — Detection-as-Code

L20
RuleTechniquesSourceHitsFPState

Detection Drift Monitoring

L3history simulated · current point live

Coverage regression tracking. The trend shows technique (gold) and sub-technique (cyan) coverage across cycles; the final point is computed from the rule set right now. A falling line means the environment or threat landscape moved faster than the rules.

False-Positive Feedback Loop

L2analyst feedback → suppression
TimeCaseDeviceMatched ruleRationale
Hybrid hunting on a continuous cadence. Every hypothesis follows a documented methodology (hypothesis → data source → analytic → MITRE-mapped finding) and runs as a real query over the loaded event and AI-usage data. Hunts auto-run when data is present and can be re-run at any time — this session's cadence is tracked below.

Hypothesis Library & Hunt Runs

L3L4
HypothesisMITREData sourceLast runFindings

Hunt Activity Log

documented methodology per run
TimeTriggerHypothesisOutcome
Native case management — the governance triad's third leg. Every Escalate and Investigate disposition becomes a case with a unified evidence timeline: detection, context scoring, Layer 4 explanation, SOAR actions, analyst overrides and false-positive marks, all timestamped in one view. Case history is searchable; overrides always capture a rationale.
Ticketing
How a case gets a ticket reference when you raise one

Case Queue

L4L5
CaseDeviceSeverityDispositionStatus

Evidence Timeline

detect → enrich → explain → act → audit
Where automation is allowed to act, and where it must stop. The console operates at AM Level 2 (semi-autonomous) for response — AI scores, recommends and stages; a human approves. Notification channels (Teams, SMS, email) are SOAR playbooks with simulated delivery in the demo and Logic Apps delivery in production. The guardrail registry below is enforced in the playbook runner: guarded actions can never execute without a named human approval.

AI SOC Automation Maturity Model

L5current posture highlighted

SOC Task → AM Level

current vs target
SOC taskCurrentTargetHow it works here

Never-Autonomous Guardrails

L5human authority preserved
ActionWhy human-onlyEnforcement
CAFI SecOps is the policy decision, orchestration & audit layer for AI usage. Upstream CASB (Defender for Cloud Apps) and DLP (Microsoft Purview) are the in-line enforcement points that actually block traffic; this console consumes their signals, evaluates policy, drives the response playbook and holds the audit trail. It also directly enforces all four policies on its own Helios assistant. Third-party detection and in-line blocking happen upstream — here they are evaluated, gated and logged.

AI Usage Policies — Compliance Status

L2L5NIST AI RMF · ISO/IEC 42001

Approved AI Tools — Allow-list

L20
AI ToolVendorStatusNotes

Controlled AI Endpoints

L20
EndpointTypeControlledGateway

AI Usage & Policy Violations

L2detect → enrich → act → log
TimeUserAI ToolActionClassificationVerdictPolicy / Response

AI Governance Audit Log

L5cafi-audit-log/ai-governance
TimeSourceSubjectPolicyAction takenOutcome
Administrator configuration. Click any row to open its definition — the detection logic, hunt query, playbook steps, guardrail rule, connector integration, approved AI tool or controlled AI endpoint — and edit it. Use + New to add one; the console generates a starter definition you can then edit. Every item shows the live in-app logic and the production form (Sentinel KQL, a Logic App spec, or a connector contract). Changes apply immediately and are saved in this browser so they persist across reloads.

Configuration Editors for AM Levels

L5Administration → Configuration Editors
SOC task maturity is controlled by configuration, not hard-coded values. Administrators adjust SOAR playbooks, never-autonomous guardrails, connector integrations, approved AI tools and controlled AI endpoints in Configuration Editors. Those edits define which tasks stay manual, which tasks are approval-gated, and which integrations can be called by Class B or automated workflows.

Detection Rules

L2
RuleTechSevSrc

Threat-Hunt Hypotheses

L3
HypothesisMITRESrc

SOAR Playbooks

L5
PlaybookClass

Never-Autonomous Guardrails

L5
ActionEnforcement

Connector Integrations

L1L5click to see how each service integrates
ConnectorKindPurposeUsed by

Approved AI Tools Allow-list

L2
AI ToolVendorStatusEndpoint

Controlled AI Endpoints

L2
EndpointTypeControlledGateway

ML & Federation Model

L3L4L6Layer 3/4/6 model definition — click to edit
ModelFederation

Authentication

Users

UserRoleGroup

Create User

local directory

Signed-in Identity

Role → Capability Map

least privilege
CapabilityAnalystAdministrator
Generate point-in-time reports from the data currently loaded in the console. The Security Report is a fully formatted HTML document covering ingestion & connector coverage, alert triage, detection & MITRE ATT&CK coverage, threat hunting, case management, SOAR automation, autonomy & guardrails, AI governance and federated training — with an executive summary, embedded dashboard graphs, analysis and recommendations; CSV exports open directly in Excel. Reports reflect the live session — refresh your data first for the most current picture.

Quick Export

no data loaded
“Extract ALL reports” downloads the Security Report plus every CSV below in sequence. Your browser may ask permission to download multiple files — allow it.

0 · Signing in & roles

The console opens with a sign-in screen. When you run the file on your computer it uses a local demo directory (default administrator admin / admin); when it is hosted on Azure it automatically switches to Microsoft Entra ID single sign-on. The Access Management screen always shows which mode is active — you never have to guess.

There are two roles. An Analyst sees the daily workflow — Operations Overview, Alert Triage, Threat Hunting, Case Management, AI Governance and Helios. An Administrator also sees Detection Coverage, System Layers, the Platform tools, Reports, and the Administration screens (Configuration Editors and Access Management). Use the user menu at the top-right to log out and sign back in as a different user. Managing users lives under Access Management (administrator only).

1 · Get data in

Open Data Sources & Ingestion. Two paths, both real:

  • API integration — choose a source type, paste an endpoint that returns JSON, and Connect & fetch. The console performs a real HTTP request; set an interval and toggle Auto-refresh for real-time monitoring. (Your API/CORS must permit the request — see the note below.)
  • Manual upload — drop a CSV or JSON export. Use Download blank template to get the exact header schema for each dataset.

Load order that gives the richest context: AssetInventory → MaintenanceWindows → ContextCatalogue → Events. Watchlists can be loaded after events too — the queue re-scores automatically.

2 · Field mapping

Events accept these fields (common aliases tolerated):

TimeGenerated | EventSource(IT/OT) | DeviceRef(hostname)
DeviceId | Severity(Critical/High/Medium/Low) | EventDetail
# optional pre-scored: ContextScore, Disposition

AssetInventory: DeviceId,Hostname,AssetRole,CriticalityTier,OwningSector,SiteCode,Vendor,Protocol

MaintenanceWindows: WindowId,SiteCode,OwningSector,StartTime,EndTime,WindowType,Description,ApprovedBy

ContextCatalogue: ContextId,DeviceId,ChangeType,ChangeTimestamp,ChangedBy,ChangeDetail

Explanations (CAFI_Explanations_CL): DeviceRef,AnomalyScore,NarrativeSummary,PivotSteps,Driver1_Feature,Driver1_SHAPValue …

AI usage (CASB/DLP feed): TimeGenerated,UserId,Department,AITool,Endpoint,Action,DataClassification,SensitiveDetected,Logged,Detail

Approved AI tools: AITool,Vendor,Status,Endpoint,Notes · Controlled endpoints: Endpoint,Type,Controlled,Gateway

AI Governance (L2·L5). CAFI SecOps enforces four AI policies — approved tools only, no sensitive data in prompts, all usage logged, controlled endpoints. Upstream CASB (Defender for Cloud Apps) and DLP (Purview) block in-line; this console evaluates the policy, runs the cafi-ai-dlp-response playbook (block session, disable account temporarily, notify) and keeps the audit trail. The built-in Helios assistant is enforced directly: every prompt is screened for sensitive content before it can be sent, and each call is logged on the AI Governance view.
SOC operations (L2–L5). Four operational surfaces sit on the same six layers. Detection Coverage — a live MITRE ATT&CK heat map over the five priority tactics, computed from the enabled detection-as-code rule set (toggle a rule and coverage recomputes); drift is tracked across cycles (history simulated, current point live) and analyst false-positive feedback counts against the matched rule. Threat Hunting — six documented hypotheses run as real queries over the loaded events and AI-usage feed; hunts auto-run on load for a continuous cadence and every run is logged with a MITRE-mapped outcome. Case Management — every Escalate/Investigate disposition becomes a searchable case with one evidence timeline (detect → score → explain → respond → audit); overrides and false-positive marks always require a typed rationale, which is logged. Autonomy & Guardrails — the five-level maturity model (AML 0–4) with the console's current AM level per SOC task, plus the never-autonomous registry (production shutdown, legal notification, cross-environment containment, VIP accounts, OT Class C) enforced in the playbook approval flow. The 7 KPI benchmarks on the Overview state their basis honestly — each value is computed from live session data or marked as pending.

3 · Read & triage

  • Overview — KPIs, disposition-coloured volume, the disposition donut, and Layer 2 join quality.
  • Triage — ranked by context score. Click a row for the Layer 4 drawer: it looks up a matching CAFI_Explanations_CL record and shows its SHAP drivers + pivot steps. If none exists, it states so (exactly like the Layer 4 playbook's no-record branch) — nothing is fabricated.

Disposition thresholds: Escalate ≥70 Investigate ≥40 Monitor ≥15 Suppress <15

4 · Act

ML & Federation renders from your fed-audit export. SOAR lets you exercise the Class B approval gate on a selected escalation; actions are logged to the session run log.

5 · Reports & Export

Open Reports & Export from the sidebar (Administrator only) once you have loaded data. Everything here reads live from the current session — nothing is cached, so refresh your data first for the most current picture.

  • Security Report (HTML) — the primary deliverable. One click builds a formatted document covering the executive summary, data sources & the 25-connector catalogue (active/inactive by group), embedded dashboard graphs (disposition and IT/OT donuts, severity and context-status bars, federated convergence chart), the 7 KPI benchmarks, MITRE ATT&CK detection coverage by tactic, the full threat-hunting hypothesis table, a case register, the SOAR playbook roster with Class A/B/C designation, the AM Level autonomy table, AI governance (the Approved AI Tools allow-list, Controlled AI Endpoints, policy compliance and recent violations), an analysis section and prioritised recommendations. Open the downloaded file in any browser to read or print.
  • CSV cards — one per dataset: Alert Queue, Escalations, Asset Inventory, Federation Audit, SOAR Run Log, Case Register, Approved AI Tools, AI Usage & Policy Violations, AI Governance Audit Log, and Hunt Findings. Each is greyed out with "No data" until that dataset has at least one record.
  • Extract ALL reports — downloads the Security Report plus every populated CSV card in one action; your browser may ask permission for multiple downloads, allow it.
  • Full data snapshot (JSON) — the complete session state, for backup or handoff to another session.

Anything you load via Manual Upload or a live API connection — including Approved AI Tools and Controlled Endpoints, which have their own upload types — flows straight into the Security Report and CSV exports the next time you generate them; there is no separate sync step.

6 · Helios — your AI cybersecurity assistant

What it is. Helios is a built-in AI-powered cybersecurity assistant for real-time threat detection, investigation, and response. It reads your live dashboard data and correlates every alert with MITRE ATT&CK techniques and CVE intelligence, then explains threats and recommends how to analyse and mitigate them. It can also explain any section of the app and guide you through using it.

How to open it. Click the gold ☀ Helios AI button in the top-right of the dashboard. Helios opens in a separate, movable window so your dashboard stays fully visible — drag it to a second monitor or beside the console. (If your browser blocks pop-ups, Helios opens as an in-page panel instead; allow pop-ups to get the separate window.)

How to use it. Type a question in the input box at the bottom, or tap a suggested prompt. Helios can:

  • Summarise threats — “what's happening / identify threats”.
  • Analyse an alert — name a device (e.g. plc-reactor-01), or click ☀ Ask Helios to analyse inside any alert's detail drawer.
  • Recommend mitigations — “how do I respond?” (it flags OT assets as manual Class-C only).
  • Look up intel — a MITRE ID like T1078 or a CVE like CVE-2019-0708.
  • Explain the app / guide you — “explain the Triage view”, “how do I export a report?”.

Automatic incident recognition. While Helios is open, any new escalation that arrives (via upload, API fetch, or auto-refresh) is recognised automatically — Helios posts a flagged incident card with its MITRE/CVE mapping and a recommended response, so you don't have to ask.

Clear & save your chat. The toolbar under the Helios header has Clear chat (starts a fresh conversation) and Save chat, which downloads a .doc Word transcript. Handy for attaching an analysis trail to an incident record or your defense pack.

How to add a live model (optional). By default Helios runs on a built-in, offline analyst that needs no key and always works. To use a live model instead:

  1. Open Helios and click the ⚙ Model Settings badge (top-right of the Helios window).
  2. Choose a Provider from the dropdown — OpenAI, Claude (Anthropic), Google Gemini, xAI Grok, Mistral, or Customize for a manual URL. The endpoint is filled in automatically (Customize lets you paste your own).
  3. Enter the model / deployment name and your API key, then click Save & connect — the badge turns green (● Model Settings, live). If the model is ever unreachable, Helios falls back to the built-in analyst automatically. Your key is stored only in your browser.
CORS / connectivity: a browser opened from file:// can only fetch APIs (including a live Helios model) that send permissive CORS headers. For staging tests, serve the file over your test host or front the API with a gateway that allows the origin. Upload and the built-in Helios analyst always work offline.

7 · Administrator configuration

Administrators can configure the console without editing code, under the Administration group:

  • Configuration Editors — add, edit or remove detection rules, threat-hunt hypotheses, SOAR playbooks, never-autonomous guardrails, and connector integrations. Add / Remove APIs multi-selects from the fixed 25-API catalogue (or add a Custom API); changes sync live to L1 Ingestion Connectors and the API Integration source-type list. Changes apply immediately and are saved in your browser, so they persist when you reopen the file locally.
  • Access Management — one merged screen. Authentication toggles Local User Authentication or Federated Microsoft Entra ID SSO (with the Tenant ID, Client ID, redirect URLs, role claim and scopes configurable here — the client secret is backend-only, never in the console); Users lets you create and delete local accounts and assign the Analyst or Administrator role (Reset to default admin clears the directory back to one admin account); Signed-in Identity and the Role → Capability map show the current session and what each role can do. In production the two roles map to the Entra security groups CAFI-SOC-Analysts and CAFI-SOC-Administrators.

Operations checklist — validate before promotion

governance appendix