Alert fatigue is a real problem for human analysts. As shown below the real "signal" is usually buried in a lot of noise. This article shows how we now have both programmatical as well as visual means to find potential attacks. 

Many clusters - one central UI

A key reason, why we chose CNCF Pixie is its ability to manage a large number of clusters in one single interface. The clusters specify which 'group' they belong to when the local sensors (Pixie Edge Module "pem") first connect to the central cockpit instance. The configuration of the auth provider can be provisioned e.g. via Terraform and an example is available in the source code.

Once both analyst user and cluster(s) are authenticated to the same group, the analyst is able to query all data, whether still on the clusters (in-memory) or already stored in the forensic database (in Clickhouse). A user may chose to visualize the data from a scatch pad ad-hoc or by using the new built-in widget, that specifically allows edges to be coloured and labelled bespoke to the needs of a security analyst:

We specifically want to point out the fact, that the data is never locally persisted in the UI, it is queried from the external database and rendered, and the feature-set that extends Pixie with this ability to both write and read from external Clickhouse Database, is a core component of this grant. All credit goes to the Pixie Team for their amazing collaboration.  

The new feature behind the scenes: the link to the database

The entire architecture of the sovereign SOC critically depends on having the ability to both read and write (safely) to the external database, as the records need to be protected from being altered if there really is an attacker in the system: