🛡️ EchoVault™ User Guide
Security Operations · Complete documentation and usage instructions
# EchoVault (SIEM) — User Guide
## Getting Started
1. Navigate to http://localhost:8000
2. The dashboard shows live KPIs, charts, and threat level
3. Use the sidebar to navigate between pages
## Keyboard Shortcuts
| Key | Action |
|-----|--------|
| `/` | Focus search |
| `t` | Go to Triage |
| `m` | Go to Monitor |
| `i` | Go to Investigate |
| `a` | Go to AI Assistant |
| `r` | Go to Reports |
| `c` | Go to Cases |
| `n` | Go to Notebooks |
| `l` | Go to Live Feed |
| `?` | Show all shortcuts |
| `Cmd+K` | Command palette |
## Search & Query
Navigate to `/search` or use the search bar.
### Query Syntax (SPL-like)
```
source=firewall severity=critical
source=auth message LIKE "%failed%"
severity=high | top src_ip
source=edr | stats count by hostname
```
### Filters
- `source=<name>` — filter by log source
- `severity=<level>` — critical, high, medium, low, info
- `src_ip=<ip>` — filter by source IP
- `| top <field>` — top values
- `| stats count by <field>` — group by
## Alert Triage
Navigate to `/triage` for the enterprise triage workspace.
### Triage Shortcuts
| Key | Action |
|-----|--------|
| `a` | Acknowledge alert |
| `i` | Investigate alert |
| `r` | Resolve alert |
| `s` | Generate AI story |
| `c` | Create case |
| `n` | Next alert |
### Alert Lifecycle
```
open → acknowledged → investigating → resolved → closed
```
### PounceSOC™ (Agentic AI)
The platform automatically:
- Closes false positives and noise (95%+ auto-resolved)
- Escalates true positives to investigating
- Creates incidents for critical confirmed threats
- Learns from analyst feedback
## AI Assistant
Navigate to `/assistant` or use the dashboard "AI Ask" button.
### Example Questions
- "show open alerts"
- "search lateral movement"
- "create alert suspicious login from 10.0.0.5"
- "acknowledge alert ALR-xxx"
- "run playbook triage"
- "stats"
- "generate query for failed logins"
- "summarize alert"
## Dashboards
### Main Dashboard (/)
- KPI cards (events, alerts, cases, rules)
- Live sparkline (events/interval)
- Risk gauge (exposure score)
- Compliance posture
- MITRE ATT&CK coverage
- Charts (severity, timeline, trend, sources)
### Dashboard Builder (/dashboard-builder)
Create custom dashboards with drag-and-drop widgets.
## Cases
Navigate to `/cases` for the Kanban case board.
- Create cases from alerts
- Assign to analysts
- Track through open → investigating → closed
## Reports
Navigate to `/reports` for report generation.
- Export events/alerts/cases as JSON or CSV
- Generate compliance reports
- Schedule automated reports
## Live Feed
Navigate to `/live-feed` for real-time event streaming.
- SSE-powered live event feed
- Agent status monitoring
- AI signal detection
## Notebooks
Navigate to `/notebooks` for investigation notebooks.
- Save queries with results
- Add analyst notes
- Share with team
## MITRE ATT&CK
Navigate to `/mitre` for the MITRE ATT&CK heatmap.
- Shows detection coverage per technique
- Links to rules covering each technique
- Gap analysis
## Integrations
Navigate to `/integrations` for connector management.
- Configure log sources
- Set up webhooks
- Manage API keys