APEX Triage

Inspiration

Security Operations Centers (SOCs) are under siege. Analysts face thousands of alerts daily, leading to Alert Fatigue, a dangerous state where critical threats effectively hide in plain sight amidst the noise. We asked ourselves: What if a dashboard didn't just show data, but actually "thought" like a senior analyst?

Our inspiration came from the desire to shift the paradigm from Monitoring (watching charts) to Triage (making decisions). We wanted to build a tool that respects the analyst's cognitive load by quantifying uncertainty and translating cryptic logs into human narratives.

What it does

The SOC Triage Dashboard is a comprehensive command center for modern security defense. It transforms raw event logs into a prioritized, actionable intelligence stream.

• Intelligent Prioritization: Instead of a flat list, we process a dynamic queue ranked by a composite risk score, ensuring the most critical threats (Malware, Impossible Travel, Data Exfiltration) are addressed first.
• Incident Storytelling: We group disparate events into "Stories," enabling analysts to see the full attack vector (e.g., Phishing Email \(\rightarrow\) Credential Dump \(\rightarrow\) VPN Access) rather than isolated blips.
• Uncertainty Quantification: Uniquely, our dashboard explicitly visualizes "Uncertainty & Gaps." It tells analysts what the system doesn't know (e.g., "Missing endpoint process tree"), preventing premature conclusions.
• Human-Centric AI: The "Why This Matters" engine translates complex signal correlations into plain English (e.g., "Critical priority due to high confidence malware detected on user J. Doe"), bridging the gap between machine logic and human understanding.

How we built it

We architected a high-performance Single Page Application (SPA) designed for speed and clarity.

1. Core Framework: Built on React.js, utilizing advanced hooks (useMemo, useReducer) to handle real-time sorting and filtering of thousands of complex JSON objects without a frame drop.
2. Visual Language: We used Tailwind CSS to create a high-contrast, "Cyber-Dark" aesthetic. This isn't just for looks; it reduces eye strain during 12-hour shifts and uses color psychology (Red/Orange/Blue) to guide attention instantly.
3. Data Processing & NLP: We engineered a client-side processor that normalizes nested JSON logs. We implemented a Rule-Based NLP Engine that parses signal arrays to generate dynamic, grammatical explanations for every alert.
4. Math & Logic: We implemented a confidence scoring algorithm that normalizes disparate signals into a unified percentage

Challenges we ran into

• The "Black Box" Problem: Security data is often opaque. Creating the Uncertainty Panel was difficult because it required us to programmatically identify absent data proving a negative is a classic logical challenge.
• Complex Data Structures: The dataset contained deeply nested correlations (Events linked to Stories linked to Entities). Flattening this for a performant UI while keeping the relationships intact for the "Story View" required complex recursive data mapping.
• Balancing Detail vs. Clarity: We struggled initially with information density. Early versions were too cluttered. We successfully pivoted to a "Progressive Disclosure" design, where high-level summaries (the list) expand into Granular Details (the panel) only when needed.

Accomplishments that we're proud of

• The "Why This Matters" Feature: We successfully turned raw JSON tags into a fluid narrative. Seeing the dashboard explain why an alert is critical in plain English was a "magic moment" for the team.
• Operational Empathy: We included features like "Analyst Notes" and "copy-pasteable Next Steps," showing we understand the actual workflow of a human responder.
• Visual coherency: The dashboard feels professional and trustworthy, which is crucial for a security tool.

What we learned

• Uncertainty is Data: verifying what you don't know is often as valuable as what you do know. Capturing "Confidence Scores" allows for more nuanced human decision-making.
• The Frontend is the Product: In high-pressure environments, UI/UX performance translates directly to response speed. A 100ms lag can break an analyst's flow.
• Semantic Mapping: We learned how to map technical event types (e.g., S3.GetObject) to human concepts (Data Exfiltration), identifying the core semantic meaning behind the logs.

The Math Behind the Triage

To rank incidents effectively, we developed a weighted scoring model. The Priority Score \(P\) for any given incident \(i\) is calculated as:

$$ P_i = \sigma(S_i) \cdot \left( \alpha C_i + \beta \sum_{k=1}^{N} w_k E_{i,k} \right) $$

Where: \(sigma(S_i)\) is the Severity Multiplier (Critical \(approx 1.5\), High \(approx 1.2\), Medium \(approx 1.0\)). \(C_i\) is the Confidence Score (\(0 \leq C \leq 1\)) derived from signal fidelity. \(E_{i,k}\) represents correlated Events in the temporal vicinity, weighted by relevance \(w_k\). \(alpha\) and \(beta\) are tuning parameters to balance Confidence vs. correlation volume. This ensures that a High Confidence single event can outrank a Low Confidence cluster, preventing false positive storms.

What's next for APEX Triage

The current version of APEX Triage excels at Identification and Contextualization. Our roadmap focuses on closing the loop with Action and Prediction.

• Agentic Auto-Remediation: We plan to integrate an AI Agent that can not only explain the threat but propose and execute containment strategies (e.g., "Isolate Host", "Revoke Token") with human-in-the-loop approval.
• LLM-Powered Root Cause Analysis: Moving beyond rule-based NLP, we aim to fine-tune a specialized LLM on historical SOC data to generate hypothesis trees for why an attack occurred, connecting subtle dots across months of logs.
• Predictive Threat Modeling: By analyzing the velocity of low-severity alerts, we want to forecast probability of escalation, allowing analysts to preemptively harden defenses before a sophisticated attack matures.

Built With

• css
• csv
• flask
• javascript
• json
• postcss
• python
• react
• vite