SecOps / SIEM Overview
The SecOps module is The One Security's security operations center — a full SIEM with alert ingestion, incident management, threat hunting, automated playbooks, and response actions.
Security Command Center
Navigate to SecOps to reach the Security Command Center — your daily operational hub.
The command center shows four key metrics at a glance:
| Metric | Description |
|---|---|
| Critical Alerts | Open alerts rated Critical severity |
| Open Incidents | Active incidents not yet resolved or closed |
| Active Hunts | Threat hunts currently in progress |
| Dark Web Exposures | Unresolved dark web breach findings |
Below the metrics are two live tables:
- Recent Alerts — Last 10 alerts sorted by detection time, with severity and status
- Active Incidents — All open/investigating/contained incidents with assignee
Both tables are clickable and navigate directly to the detail view for each alert or incident.
Creating Alerts and Incidents Manually
You can manually create alerts and incidents directly from the command center:
Create Alert fields: Title, Severity (Critical/High/Medium/Low/Info), Category (e.g., malware, intrusion, phishing), Source (e.g., EDR, SIEM, manual)
Create Incident fields: Title, Severity, Description
Alert Pipeline
Alerts flow through the following pipeline:
Log Source → Detection Rule / Integration → Alert → Incident (escalation) → Resolved/Closed
Alert statuses:
| Status | Description |
|---|---|
| New | Alert detected, not yet reviewed |
| Open | Under active attention |
| Investigating | Assigned analyst is investigating |
| Contained | Threat contained, remediation underway |
| Resolved | Fully remediated |
| Closed | Closed without action (false positive, etc.) |
Log Sources
Navigate to SecOps → Log Sources to configure what data sources feed into the SIEM. Log source configuration determines what generates alerts in your environment.
Playbooks
Navigate to SecOps → Playbooks to build and manage automated response playbooks.
A playbook is a sequence of steps triggered when a matching condition occurs. Each step has an action type and title.
Creating a playbook:
- Click New Playbook
- Enter a name and description
- Add steps (one per line) — each line becomes a step with
action_type: manual - Playbooks can be toggled Active/Inactive
When a playbook is active, it is evaluated against incoming alerts and incidents based on its trigger conditions.
Response Actions
Navigate to SecOps → Response Actions to view and configure the response actions available to analysts during incident handling. Response actions integrate with connected endpoints and services to take automated or one-click remediation steps.
Log Source Integration
The SIEM bridge background function (siem-bridge.ts) ingests events from connected sources into the SIEM alert pipeline. Integration endpoints (integration-secops.ts) expose inbound webhooks for external systems to push alerts and incidents.