ThreatOps Documentation

AI-Powered SOCaaS Platform — Complete technical documentation for every module, service, and API endpoint.

v1.0 • Phase 4 Complete
38
Modules
36
API Routers
40+
Services
60+
Frontend Pages
372
Detection Rules
30+
DB Models

Platform Architecture

Azure Front Door
CDN + WAF + HTTPS
portal.threatops.roconpaas.io
Next.js Frontend
60+ pages, React 18
172.193.177.129:3000
FastAPI Backend
36 routers, 40+ services
20.83.66.78:8000
PostgreSQL + Redis
30+ models, async SQLAlchemy
Azure managed services
AKS: aks-rocon-experiment • ACR: acrroconexperiment • Namespace: threatops

🛡 Core Security Operations

📈
Dashboard
Main SOC dashboard with alert charts, severity distribution, recent incidents, and real-time metrics.
CompleteFrontend
Alerts
6-stage AI triage pipeline: entity extraction, TI lookup, UEBA, correlation, rule scoring, ML ensemble.
CompleteFrontendBackend
🔒
Incidents
Incident lifecycle management with severity tracking, analyst assignment, and timeline views.
CompleteFrontendBackend
📜
Detection Rules
372 Sigma-based detection rules across 14 MITRE ATT&CK tactics. Multi-SIEM transpilation engine.
CompleteFrontendBackend
🎯
Detection & Response
Unified D&R hub: Case Monitoring, MITRE Framework mapping, and MDR action management.
CompleteFrontend
MDR Actions
Managed Detection & Response with Defender XDR integration and automated response workflows.
CompleteFrontendBackend

🌐 Threat Intelligence

📰
Threat Advisories
Automated threat advisory feed with 30-minute auto-refresh. CVE tracking and severity assessment.
CompleteFrontendBackend
🔎
Threat Hunting
Hypothesis-driven hunting campaigns with query builders, IOC sweeps, findings, and task tracking.
CompleteFrontendBackend
💡
Threat Intel
STIX/TAXII feed integration, IOC management, and threat intelligence correlation engine.
CompleteFrontendBackend
📡
Threat Feeds
External threat feed configuration and health monitoring for OSINT and commercial sources.
CompleteFrontend
📋
MITRE Coverage
MITRE ATT&CK coverage heatmap across 14 tactics. Rule-to-technique mapping for 372 detection rules.
CompleteFrontend
👁
Digital Risk
Digital risk protection: brand monitoring, dark web surveillance, credential leak detection.
CompleteFrontendBackend

SOC Operations

💻
SOC Workspace
Analyst workspace with shift management, case assignments, war room, evidence tracking, and handoffs.
CompleteFrontendBackend
🤖
Autonomous SOC
AI-driven autonomous SOC engine for automated triage, enrichment, and response actions.
CompleteFrontendBackend
🧠
ML Models
3 sklearn models: AlertClassifier (RF), AnomalyDetector (IF), ThreatScorer (GB). Auto-retrain pipeline.
CompleteFrontendBackend
📝
Playbooks
SOAR playbook engine with 10+ templates, ActionDispatcher, 10 action types, retry/audit/dry-run.
CompleteFrontendBackend
💓
Platform Health
Self-healing engine, log healer, log source monitor. Automated remediation and health checks.
CompleteFrontendBackend
🔐
Platform Integrity
Continuous integrity monitoring for platform components, configuration drift detection.
CompleteFrontendBackend
🛠
Admin Ops Center
Administrative operations: auto-deploy pipeline, frontend factory, page builder.
CompleteFrontendBackend
SLA Dashboard
SLA monitoring: breach tracking, escalation chains, notification configs, metric snapshots every 5m.
CompleteFrontendBackend

📄 Compliance & Reporting

Compliance Engine
Automated compliance scanning for SOC 2, FedRAMP, HIPAA, PCI-DSS, NIST frameworks.
CompleteFrontendBackend
📃
Compliance Docs
CMMC domain tracking, compliance officer dashboard, document generator, cloud evidence collection.
CompleteFrontendBackend
📊
Reports
Automated SOC report generation (monthly/quarterly/yearly), HTML viewer with TOC, PDF export, sharing.
CompleteFrontendBackend
🔧
Rule Optimization
Detection rule optimization: noise reduction, false positive tuning, coverage gap analysis.
CompleteFrontendBackend
🐛
Vulnerabilities
Vulnerability management: scanner integration, CVE tracking, risk scoring, remediation workflows.
CompleteFrontendBackend
📈
Analytics
Cross-module analytics aggregation: alert trends, incident metrics, detection coverage KPIs.
CompleteFrontend

🚀 Phase 4 — Supply Chain, IR Retainer & Training

🔗
Supply Chain Security
Vendor risk management: 20 vendors, risk assessments, alerts, trend analysis. 4 frontend pages.
CompleteFrontendBackend
🚨
IR Retainer
IR retainer lifecycle: contracts, engagements, timeline, evidence, communications, PIR. 5 frontend pages.
CompleteFrontendBackend
🎓
Training Programs
Security training: courses, phishing simulations, tabletop exercises, compliance tracking. 8 frontend pages.
CompleteFrontendBackend

🔌 Platform Services

👥
Tenants
Multi-tenant architecture: tenant isolation via X-Tenant-ID middleware, per-tenant data scoping.
CompleteFrontendBackend
🚀
Onboarding
Guided onboarding wizard for new tenants: data source setup, rule selection, team configuration.
CompleteFrontendBackend
🗃
Data Sources
5 SIEM adapters: Sentinel, Splunk, Elastic, Chronicle, QRadar. Connector health monitoring.
CompleteFrontendBackend
🔐
SSO Settings
SSO configuration: SAML/OIDC providers, role mapping, customer viewer role for external access.
CompleteFrontendBackend
👤
Customer Portal
Simplified customer-facing portal with reports, compliance status, and support case management.
CompleteFrontend
💬
Support Cases
Support ticket management with case creation, conversation threads, SLA tracking, and resolution.
CompleteFrontendBackend
🏪
Marketplace
Integration marketplace with pre-built connectors, security tool plugins, and extensions.
CompleteFrontend
📰
Blog
Security blog with threat research posts, platform updates, and best practice articles.
CompleteFrontendBackend
Settings
Platform settings: user preferences, notification config, API keys, and display options.
CompleteFrontend