Alerts Module
Overview
The Alerts module is the frontline of the ThreatOps SOCaaS platform. In a multi-tenant security operations center, thousands of alerts stream in every hour from customer SIEM deployments (Sentinel, Splunk, CrowdStrike, Elastic, Chronicle). Without intelligent triage, SOC analysts face overwhelming alert fatigue and critical threats slip through.
This module provides real-time alert ingestion, AI-powered scoring and disposition, bulk analyst actions, and autonomous auto-resolution for known benign patterns. It is the primary data source for the Incidents, Dashboard, and MDR modules.
What Was Proposed
- Multi-SIEM alert ingestion from 5+ SIEM platforms (Sentinel, Splunk, CrowdStrike, Elastic, Chronicle)
- 6-stage AI triage pipeline: entity extraction, threat intelligence enrichment, UEBA behavioral analysis, correlation, rule-based scoring, and ML ensemble scoring
- Automatic disposition with score blending (70% ML + 30% rule-based)
- Bulk analyst actions (resolve, escalate, mark false positive) with ML feedback loop
- Real-time WebSocket notifications on new and triaged alerts
- Alert statistics and auto-resolution rate tracking
- Autonomous SOC integration for auto-processing incoming alerts
What's Built
| Multi-SIEM alert ingestion | ✓ Complete |
| 6-stage AI triage pipeline | ✓ Complete |
| ML ensemble scoring (70/30 blend) | ✓ Complete |
| Bulk actions with ML feedback | ✓ Complete |
| Real-time notifications (WebSocket) | ✓ Complete |
| Alert statistics endpoint | ✓ Complete |
| Autonomous SOC auto-triage | ✓ Complete |
| SLA tracking integration | ✓ Complete |
| Rule optimizer FP rate tracking | ✓ Complete |
| Frontend table with AI score bars, disposition labels, bulk select | ✓ Complete |
Architecture
Backend Service: TriageService
The core AI engine lives in app/services/triage_service.py. It orchestrates a 6-stage async pipeline:
- Entity Extraction — Parses alert payloads for IPs, domains, hashes, and usernames via
EntityExtractor - Threat Intelligence Enrichment — Parallel multi-provider lookups for IPs, domains, and file hashes via
ThreatIntelAggregator - UEBA Analysis — Behavioral deviation scoring for users via
UEBAService - Correlation — Checks for matching entities across alerts in the last 24 hours
- ML Scoring — Rule-based risk scoring via
RiskScoringModel - ML Ensemble — sklearn models (AlertClassifier RF, AnomalyDetector IF, ThreatScorer GB) with 70/30 blend
Dispositions: benign_auto_resolved, requires_investigation, suspicious_escalate, critical_immediate
API Router
File: app/routers/alerts.py — Prefix: /api/v1/alerts
GET /api/v1/alerts/ # List alerts (filters: status, severity, source_siem)
POST /api/v1/alerts/ # Create alert (triggers autonomous SOC + notifications)
PATCH /api/v1/alerts/{alert_id} # Update alert fields
GET /api/v1/alerts/stats # Alert statistics (total, new, auto_resolved, escalated, rate)
POST /api/v1/alerts/{alert_id}/triage # Trigger 6-stage AI triage on an alert
POST /api/v1/alerts/bulk # Bulk action (resolve, escalate, false_positive) + ML feedback
Frontend Page
File: src/app/alerts/page.tsx
The frontend calls GET /api/v1/alerts/ on mount, falling back to mock data. It renders a stats bar (new, investigating, auto-resolved, escalated counts), a bulk action toolbar, and a sortable table with AI score progress bars, severity badges, SIEM source, and disposition labels. Analysts can select multiple alerts and bulk-resolve or bulk-escalate via PATCH /api/v1/alerts/{id}.
Routing
| Layer | Path |
|---|---|
| /alerts | Frontend route (Next.js App Router) |
| /api/v1/alerts | API prefix (FastAPI router) |
Prerequisites
- Database — PostgreSQL with async SQLAlchemy (
app/core/database.py) - Tenant Middleware — Sets
request.state.tenant_idfor multi-tenant scoping - ML Pipeline —
app/ml/training_pipeline.pyfor ensemble predictions and feedback recording - Notification Service —
app/services/notification_service.pyfor WebSocket push - Autonomous SOC —
app/services/autonomous_soc.pyfor auto-processing - SLA Manager —
app/services/sla_manager.pyfor response time tracking - Entity Extractor, Threat Intel, UEBA — Supporting triage pipeline services
Data Model
Model: app/models/alert.py — Table: alerts (extends TenantScopedBase)
| Field | Type | Description |
|---|---|---|
id | String(36) PK | UUID primary key (from TenantScopedBase) |
tenant_id | String(36) FK | Tenant scope (from TenantScopedBase) |
rule_id | String(36) FK | Linked detection rule |
incident_id | String(36) FK | Linked incident (if escalated) |
title | String(500) | Alert title |
raw_payload | JSON | Original SIEM payload |
normalized_payload | JSON | Normalized alert data |
severity | String(20) | critical / high / medium / low |
status | Enum(AlertStatus) | new / auto_resolved / investigating / escalated / false_positive / true_positive |
source_siem | String(50) | sentinel / splunk / crowdstrike / elastic / chronicle |
ai_score | Float | ML triage confidence score (0-100) |
ai_disposition | String(100) | ML disposition label |
ai_reasoning | Text | Human-readable triage reasoning |
resolution_type | Enum(ResolutionType) | automated / manual / pending |
analyst_notes | Text | Analyst-provided notes |
resolved_at | DateTime | Resolution timestamp |
created_at | DateTime | Creation timestamp (from base) |
updated_at | DateTime | Last update timestamp (from base) |
UI Layout
Alerts Page Layout
The page uses a full-width layout on a light slate background (bg-slate-50) with the following structure:
- Header — Bell icon + "Alerts" title in orange accent
- Stats Bar — 4-column grid of stat cards: New (red), Investigating (amber), Auto-Resolved (green), Escalated (purple). Each card shows a count with an icon.
- Bulk Action Bar — White card with "Select All" checkbox, selected count indicator, and two action buttons: "Resolve Selected" (emerald) and "Escalate Selected" (purple). Both trigger PATCH requests to the API.
- Alert Table — White rounded card with columns: Checkbox, AI Score (progress bar + numeric value), Title (with alert ID below), Severity (color-coded badge), Source SIEM, Disposition (color-coded: green for auto-resolved, amber for manual review, purple for escalated), Created timestamp.
AI score bars use color coding: green (≥0.7), amber (0.3-0.7), red (<0.3). The table supports hover highlighting and row-level checkbox selection.