How-to

Operate Live SOC

Triage incoming detections, acknowledge, escalate, and link to incidents.

The detection inbox

Live SOC is your inbox of detections that crossed the Console's confidence threshold. Each row shows the detection, its asset, the time, and the proposed first action.

Actions

Acknowledge — claim the detection. It moves out of the team's open queue.
Escalate — convert into an incident with a timeline.
Suppress — for benign noise, with a required reason. Suppression rules are reviewed weekly.