Detection & Response Module

Complete

Overview

The Detection & Response module is a composite frontend section that brings together case management, MITRE ATT&CK coverage mapping, and MDR operational dashboards into a unified experience. It provides the SOC team with a single entry point to monitor cases, assess detection coverage across the MITRE framework, and navigate to response action tools.

This module consists of four sub-pages, each serving a distinct operational purpose. It aggregates data from the Alerts, Incidents, and Detection Rules APIs to provide cross-cutting visibility.

What Was Proposed

Unified detection and response overview dashboard
Case monitoring with search, severity/status filtering, and assignee tracking
MITRE ATT&CK framework visualization with detection rule coverage per tactic
Donut gauge charts showing technique coverage percentages
MDR overview sub-page within detection-response hierarchy
Navigation between sub-pages via breadcrumbs and action buttons

What's Built

Detection & Response overview page	✓ Complete
Case monitoring with search and filters	✓ Complete
MITRE ATT&CK framework grid (14 tactics, 3 phases)	✓ Complete
Donut gauge coverage charts per tactic	✓ Complete
Expandable tactic cards with rule listings	✓ Complete
MDR sub-page with incident summary	✓ Complete
Breadcrumb navigation	✓ Complete
API integration with fallback data	✓ Complete

Sub-Page: Overview

detection-response/page.tsx

Route: /detection-response

The overview page shows summary cards (Total Cases, Open Cases, Resolved Cases, Avg Resolution Time), populated from GET /api/v1/detection-rules/stats/summary. Below, a recent cases table shows case ID, title, severity, status, assignee, source, and created date. Each row is clickable and navigates to case monitoring. Navigation buttons link to Case Monitoring and MITRE Framework sub-pages.

Data Source: /api/v1/detection-rules/stats/summary

Sub-Page: Case Monitoring

detection-response/case-monitoring/page.tsx

Route: /detection-response/case-monitoring

Dedicated case tracking page with full filtering capabilities. Shows a status summary bar (Open, In Progress, Resolved, Closed counts in colored cards). Provides search input, severity dropdown, and status dropdown for filtering. The table adds MITRE technique IDs and last-updated timestamps compared to the overview. Fetches data from GET /api/v1/incidents/.

Table columns: Case ID, Title, Severity (badge), Status (with icon), Assignee (with user icon), Source, Techniques (monospace chips), Last Updated, chevron.

Data Source: /api/v1/incidents/

Sub-Page: MITRE ATT&CK Framework

detection-response/mitre-framework/page.tsx

Route: /detection-response/mitre-framework

The MITRE framework page is the most complex sub-page. It loads all 372 detection rules from GET /api/v1/detection-rules/?limit=1000 and maps them to 14 MITRE ATT&CK tactics organized into three attack phases:

Access and Establish: Initial Access, Resource Development, Reconnaissance, Execution, Persistence
Expand and Escalate: Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement
Exfiltrate and Impact: Collection, Command and Control, Exfiltration, Impact

Each tactic is rendered as a card with a donut gauge chart showing technique coverage (e.g., 8/10 techniques covered). Cards expand to show all detection rules mapped to that tactic with severity badges, SIEM target pills, and details.

Stats bar: 6-column grid showing Total Rules, Active Rules, Critical, High, Medium, Low/Info counts.

Data Scope selector: Dropdown to filter by data source (All, State of California, EDR, SIEM, Cloud, Network).

Data Source: /api/v1/detection-rules/?limit=1000

Sub-Page: MDR

detection-response/mdr/page.tsx

Route: /detection-response/mdr

Nested MDR overview page showing active cases, mean response time, auto-resolved percentage, and escalated count. Includes SOC analyst activity stats (analysts online, alerts triaged today, SLA compliance) and a recent incidents table with severity and status indicators. Data fetched from GET /api/v1/incidents and GET /api/v1/admin/dashboard with auto-refresh every 30 seconds.

Data Source: /api/v1/incidents, /api/v1/admin/dashboard

Routing

Layer	Path	Description
/detection-response	Frontend	Overview page
/detection-response/case-monitoring	Frontend	Case monitoring page
/detection-response/mitre-framework	Frontend	MITRE ATT&CK coverage map
/detection-response/mdr	Frontend	MDR overview sub-page
/api/v1/detection-rules/stats/summary	API	Used by overview page
/api/v1/detection-rules/?limit=1000	API	Used by MITRE framework page
/api/v1/incidents/	API	Used by case monitoring and MDR pages

Prerequisites

Detection Rules API — /api/v1/detection-rules for MITRE mapping and stats
Incidents API — /api/v1/incidents for case monitoring data
DonutGauge Component — src/components/charts/donut-gauge.tsx for coverage visualization
Mock Data — src/lib/mock-data.ts for fallback when API is unavailable
API Client — src/lib/api-client.ts for authenticated HTTP requests

UI Layout

Overview Page Layout

Breadcrumb: "Detection & Response / Overview"
Header: Shield icon, title, navigation buttons (Case Monitoring, MITRE Framework)
4 Summary Cards: Total Cases (blue), Open Cases (orange), Resolved Cases (green), Avg Resolution Time (purple)
Recent Cases Table: Searchable, columns for Case ID, Title, Severity, Status, Assignee, Source, Created. Rows are clickable.

MITRE Framework Page Layout

Breadcrumb: "SOCaaS › Detection & Response › MITRE Framework"
Stats Bar: 6 cards showing rule counts by severity
Phase Sections: Three horizontal sections (Access and Establish, Expand and Escalate, Exfiltrate and Impact), each with a centered label divider
Tactic Cards: 4-column grid. Each card has an icon, tactic name, donut gauge, active/total rule count. Click "View more" to expand and see all rules for that tactic.
Expanded Card: Goes full-width (col-span-full), lists rules with checkmark/X icons for enabled/disabled, severity badges, SIEM target pills, and expandable detail panels per rule.