SOC Analyst Workspace

24/7 War Room -- Shift management, case queue, investigation timelines, analyst performance, and runbook knowledge base.

Status

Built

API Endpoints

35+

DB Models

Frontend

Live

Overview

The SOC Analyst Workspace is the operational backbone for human SOC analysts, providing a full "war room" experience for 24/7 security operations. It supports follow-the-sun shift routing, intelligent case auto-assignment with workload balancing, investigation timelines with evidence chain of custody, analyst performance tracking and team leaderboards, and a MITRE-mapped runbook knowledge base with automated suggestions.

What Was Proposed

Shift management with follow-the-sun routing across global SOC teams
Case queue with intelligent auto-assignment and workload balancing
Investigation timeline with evidence chain tracking
Analyst performance tracking, leaderboards, and quality scoring
Knowledge base with MITRE-mapped runbooks and contextual suggestions
War room collaboration with real-time messaging
Case merge/split operations
Evidence locker with chain of custody tracking
Shift handoff with acknowledgment workflow

What's Built

Feature	Status	Details
Shift Management	Complete	3 shifts (Americas, EMEA, APAC) with follow-the-sun routing
Analyst Management	Complete	CRUD, status tracking (available/busy/offline/break), roles (L1-L3, Lead)
Case Queue	Complete	Full queue with auto-assign, bulk reassign, auto-balance, P1-P4 priority
Investigation Timeline	Complete	17 event types tracked per case
Evidence Chain	Complete	Evidence locker with chain of custody, transfer, and SHA256 hashing
War Room Collaboration	Complete	Messages, analyst tagging, findings with severity, 4 message types
Case Merge/Split	Complete	Merge multiple cases into primary, split alerts to new cases
Shift Handoff	Complete	Handoff creation, acknowledgment workflow, history tracking
Runbook Knowledge Base	Complete	Category-based browse, keyword search, MITRE-mapped suggestions, execution engine
Analyst Performance	Complete	Team leaderboard, individual metrics, quality scoring, 7d/30d periods
War Room Dashboard	Complete	Single-call dashboard: shift, queue stats, active cases, SLA health, top performers

Architecture

Component Layout

Frontend (Next.js)                    API (FastAPI)                        Database (PostgreSQL)
+-----------------------+             +---------------------------+        +---------------------+
| /soc-workspace        |  REST API   | /api/v1/soc/*             |  ORM   | soc_shifts          |
|   ShiftPanel          | ----------> | ShiftManager              | -----> | soc_analysts        |
|   CaseQueue           |             | CaseQueue                 |        | soc_case_assignments|
|   InvestigationView   |             | InvestigationTimeline     |        | soc_timeline_events |
|   WarRoom             |             | CollaborationHub          |        | soc_evidence_items  |
|   PerformanceBoard    |             | PerformanceTracker        |        | soc_shift_handoffs  |
|   RunbookBrowser      |             | KnowledgeBase             |        | soc_war_room_msgs   |
|   EvidenceLocker      |             | RunbookExecutor           |        +---------------------+
+-----------------------+             | EvidenceLocker            |
                                      +---------------------------+

The service layer (soc_workspace.py) initializes a singleton SOCWorkspace object containing all sub-managers: ShiftManager, CaseQueue, InvestigationTimeline, PerformanceTracker, KnowledgeBase, HandoffManager, CollaborationHub, RunbookExecutor, and EvidenceLocker. All are pre-populated with realistic demo data for live demonstrations.

API Routing

Router prefix: /api/v1/soc — Tag: soc-workspace

Shift Management

GET/shift/currentCurrent active shift & on-duty analysts

GET/shiftsList all configured shifts

Analyst Management

GET/analystsList analysts (filter by status, role)

GET/analysts/{analyst_id}Get analyst detail

PATCH/analysts/{analyst_id}/statusUpdate availability status

GET/analysts/{analyst_id}/queueGet analyst's case queue

Case Queue & Assignment

GET/queueFull case queue (filter by status, severity, priority)

GET/queue/statsQueue stats for war room dashboard

POST/cases/{case_id}/assignManual case assignment

POST/cases/auto-assignIntelligent auto-assign (follow-the-sun + workload)

POST/cases/{case_id}/reassignReassign with reason

PATCH/cases/{case_id}/statusUpdate case status

POST/cases/auto-balanceAuto-balance workload across analysts

POST/cases/bulk-reassignBulk reassign from one analyst to another

POST/cases/mergeMerge secondary cases into primary

POST/cases/{case_id}/splitSplit alerts to new case

Investigation Timeline

GET/cases/{case_id}/timelineFull investigation timeline

POST/cases/{case_id}/notesAdd investigation note

POST/cases/{case_id}/evidenceAttach evidence to case

War Room Collaboration

POST/war-room/{case_id}/messagePost war room message

GET/war-room/{case_id}/messagesGet war room messages

POST/war-room/{case_id}/tagTag analyst in war room

POST/war-room/{case_id}/findingMark a finding

Evidence Locker

POST/cases/{case_id}/evidence-lockerAdd evidence with chain of custody

GET/cases/{case_id}/evidence-lockerFull evidence chain

POST/evidence/{evidence_id}/transferTransfer custody

GET/evidence/{evidence_id}Get evidence item

Performance & Runbooks

GET/performance/teamTeam leaderboard

GET/performance/{analyst_id}Analyst performance detail

GET/runbooksBrowse runbook knowledge base

GET/runbooks/{runbook_id}Get runbook detail

GET/runbooks/suggest/{alert_id}MITRE-mapped runbook suggestions

POST/runbooks/{runbook_id}/executeExecute runbook against case

GET/dashboardComplete war room dashboard (single call)

Prerequisites

PostgreSQL database with TenantScopedBase tables migrated
FastAPI application with tenant middleware configured
WebSocket server for real-time collaboration (optional)

Data Model

All models extend TenantScopedBase for multi-tenant isolation. File: platform/api/app/models/soc_workspace.py

Analyst

Table: soc_analysts

Column	Type	Description
name	String(255)	Analyst display name
email	String(255)	Analyst email
role	Enum (L1, L2, L3, Lead)	Analyst tier
status	Enum (available, busy, offline, break)	Current availability
shift_id	FK → soc_shifts	Assigned shift
skills	JSON	Skill tags
certifications	JSON	Certification list
current_case_count	Integer	Active case count
performance_score	Float	Composite performance score
avg_response_time	Float	Average response time

CaseAssignment

Table: soc_case_assignments

Column	Type	Description
case_id	String(64)	Case identifier
analyst_id	FK → soc_analysts	Assigned analyst
status	Enum (queued, assigned, acknowledged, investigating, escalated, resolved, closed)	Case lifecycle status
priority	Enum (P1, P2, P3, P4)	SLA priority tier
severity	String(32)	Alert severity
sla_deadline	DateTime	SLA deadline
auto_assigned	Boolean	Whether auto-assigned

Other Models

Shift (soc_shifts) -- name, start_hour, end_hour, timezone, region
TimelineEvent (soc_timeline_events) -- 17 event types, case_id FK, actor, description, details JSON
EvidenceItem (soc_evidence_items) -- type, hash (SHA256), source, chain_of_custody JSON
ShiftHandoff (soc_shift_handoffs) -- from/to shift FKs, status (pending/acknowledged/completed), open_cases, priority_notes
WarRoomMessage (soc_war_room_messages) -- sender, message, type (text/command/finding/question/system), tagged_analysts, evidence_refs

UI Description

File: platform/frontend/src/app/soc-workspace/page.tsx

The frontend is a comprehensive multi-tab war room interface built with React and Lucide icons. Key views include:

Shift Panel -- Current shift info, on-duty analysts with status badges, shift change countdown
Case Queue -- Sortable/filterable table with priority (P1-P4), severity, SLA countdown, analyst assignment. Supports drag-and-drop reassignment
Investigation View -- Full case timeline with 17 event types, evidence attachments, investigation notes, and linked runbooks
War Room -- Real-time chat per case with analyst tagging, findings with severity markers, and system notifications
Performance Board -- Team leaderboard with composite scores, MTTR/MTTA metrics, case resolution rates
Runbook Browser -- Category-filtered runbook library with keyword search and MITRE-mapped auto-suggestions per alert
Evidence Locker -- Chain of custody viewer with SHA256 verification and custody transfer logs
Handoff Manager -- Shift handoff creation with cases-in-progress, priority notes, and acknowledgment tracking

The page uses the api client from @/lib/api-client and falls back to mock data when the API is unreachable.