SOC Workstation
Multi-window SOC workstation with layout presets, cross-tool pivoting, and real-time taskbar.
SOC Workstation
The SOC Workstation is the primary interface during Shift Mode. It replicates a multi-monitor SOC environment within a single browser window, giving you simultaneous access to SIEM, XDR, Firewall, Threat Intelligence, Case Management, and Comms panels.
Layout Presets
Four layout presets let you configure your workspace for different stages of an investigation:
| Preset | Primary Focus | Secondary Panels | Best For |
|---|---|---|---|
| Analyst Setup | SIEM + XDR side-by-side | Firewall minimized, Case Management docked | General triage and monitoring |
| Investigation Mode | XDR full-width | SIEM and Ember ThreatInt as side panels | Deep-dive endpoint analysis |
| Triage Mode | SIEM full-width | Case Management docked right | High-volume alert processing |
| Network Focus | Firewall + SIEM side-by-side | Ember ThreatInt docked | Network-centric investigations |
Switch between presets with Ctrl+Shift+L or through the layout selector in the taskbar.
Window Management
Each tool window supports standard window operations:
- Tiling -- Windows snap to predefined grid positions. Drag a window to the edge of the workspace to tile it.
- Detaching -- Press
Ctrl+Shift+Dto pop a window into a separate floating panel. Useful for multi-monitor setups. - Minimizing -- Minimize windows to the taskbar. Click the taskbar button to restore them.
- Resizing -- Drag window borders to resize. Double-click a border to expand to fill available space.
Cross-Window Pivoting
When you encounter an IOC (IP address, domain, hash, process name) in any tool window, right-click it to open the pivot menu:
- Open in SIEM -- Search logs for this indicator
- Open in XDR -- Search endpoint telemetry for this indicator
- Open in Firewall -- Search connection logs for this indicator
- Open in Ember ThreatInt -- Look up threat intelligence for this indicator
- Pin to Case -- Add this indicator as evidence to your current case
Cross-window pivoting is the fastest way to correlate activity across tools. When an alert in the SIEM references a suspicious IP, pivoting to the Firewall immediately shows whether that IP has other connections.
Taskbar
The taskbar runs along the bottom of the workstation and provides:
| Element | Function |
|---|---|
| Window Buttons | One button per tool window. Click to focus or restore. |
| Alert Badges | Red badge count on each window button showing unread alerts. |
| Shift Timer | Remaining time in the current shift, color-coded as time runs low. |
| Phase Indicator | Current shift phase (Briefing, Active, Final 10 Minutes, Debrief). |
| Layout Selector | Quick-switch between the four layout presets. |
| Pause Button | Pause the shift timer and alert flow. |
Mobile and Tablet
On screens narrower than 1024px, the workstation falls back to a tab-based interface. Each tool occupies a full-screen tab, and you switch between them using the bottom navigation bar. Cross-window pivoting still works -- selecting "Open in SIEM" switches to the SIEM tab with the search pre-filled.
Shift Mode is designed for desktop use. The tab-based fallback works for reviewing alerts, but the full multi-window experience requires a screen width of at least 1280px.