Custom SOC AI itegration problems

[jay-oconnor]

Acknowledgements

• I have searched (https://github.com/utmstack/UTMStack/issues) for past instances of this issue
• I have verified that my UTMStack version is up-to-date

Describe the bug

I'm trying to use a custom provider for the SOC AI integration. The integration config gets accepted and the integration gets enabled, but all attempts to access SOC AI features fail.

Selecting an alert and clicking the SOC AI tab produces the error "Info! The SOC-AI integration did not analyze this alert due to inactivity or a processing error." Going to Log Explorer -> SOC AI always produces the error "Error running query 0.xxx seconds".

I disabled and re-enabled the integration and caught this in utmstack_backend logs - "{"timestamp":"2025-12-19T19:39:48.861Z","severity":"INFO","msg":"ElasticsearchResource.getIndexProperties: ElasticsearchService.getIndexProperties: Index [soc-ai] not found"}
{"timestamp":"2025-12-19T19:39:49.865Z","severity":"ERROR","msg":"ElasticsearchResource.search: ElasticsearchService.search: OpenSearch.search: Request failed: [index_not_found_exception] no such index [soc-ai]"}

It seems like at least part of the issue is that the SOC-AI index is never created.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

The SOC-AI index to be created when enabling the SOC AI integration, SOC AI integration to analyze alerts, and SOC AI logs to be populated in the log explorer.

Current Behavior

The SOC-AI index is never created, SOC AI analysis fails, SOC AI logs can't be created due to no index.

Reproduction Steps

For analysis error: Enable the SOC AI integration with a custom provider. Open an alert and click on SOC AI tab.

For log error: Open Log Explorer -> SOC AI.

Possible Solution

SOC-AI index is never created but is needed.

Additional Information/Context

No response

UTMStack Version

v11.1.4-community

Operating System and version

Ubuntu 24.0.4 LTS

Hypervisor and Version | Server Vendor and Model

XCP-NG 8.3 | Dell PowerEdge R730

Browser and version

Edge 139.0.3405.111

[osmontero]

Hi @jay-oconnor. Thanks for letting us know. Could you confirm if you received those alerts before enabling the SOC-AI integration? Alert analysis with the SOC-AI module is not retroactive. This means that alerts received before enabling the integration will not be analyzed.