Incident Hub — 47 MITRE ATT&CK-Tagged Playbooks · Agentic AI Response

Every alert that RoutePulse fires is a story, not a row. The Incident Hub gathers correlated events from BGP anomalies, ML detectors, Wazuh SIEM, Suricata IDS, FortiGate, and 39 threat feeds into a single MITRE ATT&CK-tagged dossier — and 47 production playbooks auto-trigger the right response, from Telegram broadcast to BGP blackhole, with full audit trail.

When a playbook fires, ANIE — the Autonomous Network Intelligence Engine — runs a six-layer Claude-powered investigation: context gathering, threat-feed cross-reference, AS reputation lookup, MITRE-technique-match, blackhole gate review, narrative generation. The output is a plain-English incident summary with citations, an enriched 👥 Actors block (Attacker (external) → Your host: X → Y :port PROTO), and a 🎯 Scope tag distinguishing own-network from external IPs. No more “who is the source and who is the target?” Telegram messages.

47 production playbooks live

Each playbook is tied to a specific event_type or composite trigger condition. v4.32.101 additions: cyber-honeypot-hit, port-scan-aggregate, protocol-anomaly-network, IXP-peer-volume-shift, RIB-divergence, ASPA-violation, RPKI-invalid-active, host-reputation-flip, bgp-flap-aggregate, withdraw-storm. Each carries a Suricata SID taxonomy with per-class weighting for severity escalation. Playbook engine lives under /settings/playbooks for operator customization.

Auto-resolution with bulk digest

When an incident class quiets for the configured idle threshold, RoutePulse emits a “Bulk Auto-Resolved” Telegram digest listing every IP cleared, split into Yours: and External: so own-network noise vs DFZ-traffic is obvious at a glance. Operator no longer has to scroll through 200 raw IPs to find the 3 own-network entries.

Composite actor attribution

Every incident embeds role-tagged actor lines based on triggerEvent details: directional attack (src+dst → "Attacker (external) → Your host"), single-host anomaly ("Your host showing the anomaly: X"), one-sided fact (split into own/external label), or volume/composition ("Top contributors (source|destination side)"). Every IP in every actor block is tagged with (yours) for GOLINE prefixes / RFC1918 / loopback / link-local, (external) otherwise.

Key Capabilities

• 47 MITRE ATT&CK Enterprise v15-tagged playbooks live in production with auto-trigger on event_type + composite conditions
• Six-layer Claude-powered investigation engine (ANIE): context, threat-feed, AS-reputation, MITRE-match, blackhole gate, narrative
• Correlated event ingestion from BGP anomalies, 18 ML detectors, Wazuh SIEM, Suricata IDS, FortiGate, 39 threat feeds, AbuseIPDB, Shodan
• WORM audit chain (immutable Postgres + SHA-256 hash chaining) for every incident creation / escalation / resolution / playbook fire
• Auto-resolution Telegram digest split by own-network vs external IPs (own-IP classifier: GOLINE prefixes, RFC1918, loopback, link-local)
• Composite actor attribution with (yours) / (external) tags on every IP in every actor block
• Aggregate-anomaly Actors fallback: explicit Aggregate-level anomaly line when no fromIp/toIp/subjectIp can be attributed
• Top-contributors enrichment via follow-up ClickHouse query on the anomalous protocol over the 60s detection window
• Per-incident bulk digest (sendIncidentBulkResolved) with humanized event_type names (cyber_threat_ip_active → “Threat IP Active”)
• Severity rules respecting CRITICAL only for AS202032 and own prefixes 185.54.80.0/22; WARNING for generic DFZ anomalies
• Configurable notification routing per playbook: Telegram, email, webhook (with rich attack-context payload for downstream SOAR integration)

Engineered and operated by the GOLINE SOC & Network Engineering team.

Explore all RoutePulse features →