The human-in-the-loop view. How a Signal Horizon analyst turns a spiking dashboard into a deployed rule — four stages, each anchored in real UI surfaces and API endpoints. Loops back continuously.
4
Workflow Stages
<5m
Alert → Triage
<15m
Triage → Rule
Canary
Deploy Posture
The Loop — Alert · Triage · Tune · Deploy
STAGE 01
Alert
SIGNAL SURFACED
"Something just spiked. Is it real?"
Overview page shows category spike
Live map flags a new geo cluster
WarRoom pings oncall
Campaign detection fires on 3rd IP
TARGET · FIRST EYES < 5 MIN
STAGE 02
Triage
SCOPE & BLAST RADIUS
"Who else is hit? What's the pattern?"
Actor / Session / Campaign drilldown
Request timeline + JA4 fingerprints
SocSearch pivots across related IPs
Sigma hunt confirms similar activity
GOAL · UNDERSTAND IMPACT
STAGE 03
Tune
RULE AUTHORING
"What's the minimal rule that catches this?"
Draft a runtime rule with TTL
Dry-run via synapse evaluate
Check against benign traffic samples
Add playbook entry for recurrence
REVIEW · MINIMIZE FALSE POSITIVES
STAGE 04
Deploy
PROGRESSIVE ROLLOUT
"Ship it — safely."
Canary via RolloutOrchestrator
Health-gated batch expansion
Watch Overview for false-positive rate
Instant rollback via state store
ROLLOUT · 1% → 100% GATED
Tools Per Stage — Real Horizon Surfaces
01 · ALERT
OverviewPage /overview
WarRoomPage /warroom
LiveMapPage /soc/live-map
ScenariosPage /scenarios
02 · TRIAGE
ActorDetailPage /soc/actors/:id
SessionDetailPage /soc/sessions/:id
CampaignDetailPage /soc/campaigns/:id
RequestTimeline /hunting/request
SocSearchPage /soc/search
03 · TUNE
HuntingPage /hunting
hunt-sigma API POST /api/hunt/sigma
synapse rule-add CLI + API
PlaybooksPage /playbooks
04 · DEPLOY
RolloutOrchestrator BullMQ
FleetCommander reload · drain
DeploymentStateStore blue/green
AutopilotPage /autopilot
Response Actions — What an Analyst Can Do
Block IP
Add to blocklist via POST /api/blocklist — expires on TTL or manual release.
Release
Un-block a false positive via synapse release <ip>. Risk score carried over.
Runtime Rule
Add an in-memory WAF rule with TTL — synapse rule-add <json> 3600. Survives reload if persisted.
Sigma Hunt
Scope a hypothesis across historical data — POST /api/hunt/sigma. Backed by ClickHouse.
Config Tune
Adjust thresholds on the fly — synapse config-set challenge_threshold=35.
Playbook
Attach an automated response to a signal class via POST /api/playbooks.
War Room
Open a collaborative incident room — timeline, evidence, shared context.
Rollback
Revert a deploy via DeploymentStateStore blue/green swap. Instant.
The loop never closes
Every deployed rule is also a new source of telemetry. False positives bubble back into Overview, rule hits feed risk scoring, and campaign detections re-arm enforcement in-process. Analysts don't ship rules and walk away — they watch the next alert to confirm the previous one was handled. This infographic is itself a cycle: the "Deploy" step always feeds back into "Alert".