Overview
The Monitoring & Incidents module is the operational security layer of the ThreatZ platform. It enables automotive cybersecurity teams to detect, correlate, investigate, and respond to security events in connected vehicles. The module integrates real-time event ingestion, automated threat correlation, incident lifecycle management, anomaly alerting, and external VSOC connectivity into a single operational environment.
Key Concepts
Observed Security Events
Observed Security Events are the raw signals ingested from vehicle systems, sensors, or external feeds. Each event carries a severity (Critical, High, Medium, Low, Info), a raw payload, source metadata, and contextual values. Events follow a defined status workflow:
Pending → Processing → Correlated / Uncorrelated → Acknowledged / Dismissed → Escalated → ResolvedIncidents
Incidents are structured investigations created either manually or by escalating a correlated security event. Each incident includes:
- Severity level (Critical, High, Medium, Low)
- State tracking (New → Investigating → In Progress → Resolved)
- Assigned analyst
- Threaded comments and evidence attachments
- Links to related assets, damages, threats, and risks
- Optional threat intelligence feed association
Threat Correlation
Threat Correlation is the process of matching observed events to threat scenario indicators defined in the TARA module. The correlation engine uses weighted scoring:
| Indicator Severity | Weight |
|---|---|
| Critical | 100 |
| High | 75 |
| Medium | 50 |
| Low | 25 |
Matching supports exact values, wildcards (ECU_*), regex patterns (/MAC.*failed/), and array containment — with bonus scoring for context-based matches.
VSOC Configuration
VSOC Configuration defines how security events are exported to external Vehicle Security Operations Centers:
- Endpoint URL and authentication method (API Key, Bearer Token, Basic Auth, OAuth2, Certificate)
- Export format (JSON, AUTOSAR, STIX, Custom)
- Field mappings for source-to-target transformation
- Retry configuration with exponential backoff
- Export statistics and status tracking
Dashboards & Visualizations
The security dashboard provides real-time situational awareness through multiple widgets:
- Security Status: Overall risk level with trend indicator (improving / stable / worsening)
- Finding Trends: Severity distribution over 7-day and monthly periods
- Attack Surface Map: Component nodes (ECU, gateway, TCU) with risk-level indicators, finding counts, and threat paths
- Active Campaigns: Real-time campaign monitoring
- Compliance Scorecard: Current compliance posture
- Recent Alerts: Prioritized anomaly feed
All dashboard data is delivered via WebSocket subscriptions, with per-project room-based isolation.
Anomaly Alerting
The anomaly alert engine continuously evaluates security state and generates prioritized alerts:
| Alert Type | Trigger | Priority |
|---|---|---|
| Critical Finding | Critical-severity finding detected | P1 |
| Finding Spike | Multiple high-severity findings in short period | P2 |
| Safety Event | FATAL safety event during test execution | P1 |
| Compliance Breach | Compliance threshold exceeded | P2 |
Alerts are delivered through in-app notifications (WebSocket), email, and dashboard widgets. Each alert includes severity, description, affected entity, and direct link to the relevant resource.
Incident Response Workflow
Discovery
↓
Detection — Security event observed and ingested
↓
Correlation — Event matched to threat scenario indicators
↓
Escalation — Correlated event converted to incident (or manual creation)
↓
Investigation — Analyst assigned, evidence attached, comments added
↓
Resolution — State updated, incident closed
↓
Post-Incident Review — Activity log analysis, findings documentationAdditional workflows include:
- Threat Intelligence → Incident: Convert external threat intel feeds directly into tracked incidents
- Bulk Event Ingestion: Batch import events with automated correlation processing
- VSOC Export: Push events to external systems with retry logic and status tracking
Notification System
The module supports multi-channel notifications with preference-based filtering:
- In-app: Real-time delivery via WebSocket
- Email: Configurable per notification category
- Triggers: Incident assignment, analyst mention, event correlation, threat intel conversion
- RBAC-aware: Notifications respect role-based access control
Infrastructure Monitoring
Platform-level monitoring is provided through:
- Prometheus Metrics: Campaign state transitions, safety event counts, WebSocket health, campaign duration histograms
- Alert Rules: Campaign stuck detection (>24h), high error rates, fatal safety events, agent responsiveness checks
- Grafana Dashboard: Pre-configured panels for operational monitoring
Integration with Other Pillars
| Direction | Pillar | Data Flow |
|---|---|---|
| Inbound | TARA | Threat scenario indicators for correlation |
| Inbound | Governance | Security event definitions (AUTOSAR-compliant) from catalogs |
| Inbound | Testing | Safety events from campaign execution |
| Inbound | Threat Intelligence | External threat feeds |
| Outbound | TARA | Incident-linked risks and assets |
| Outbound | Compliance | Incident logs and response evidence |
| Outbound | External VSOC | Event exports (JSON, AUTOSAR, STIX, Custom) |