Skip to content

Dashboard Overview

Seerflow ships with a React dashboard served from the same FastAPI process that runs the ingest pipeline. There is no second uvicorn, no separate frontend deploy — seerflow start boots receivers, detection, correlation, and the dashboard all on one port.

Overview screen: KPI strip, event-volume-by-severity chart, recent alerts, and top risk entities

SurfaceURLPurpose
Dashboard UIhttp://127.0.0.1:8080/Sidebar-navigated console — Overview, Alerts, Events, Entities, ATT&CK, Sigma
REST APIhttp://127.0.0.1:8080/api/v1/Programmatic access — see REST API
WebSocketws://127.0.0.1:8080/api/v1/wsLive event + alert stream — see WebSocket
Health probehttp://127.0.0.1:8080/api/v1/healthLiveness + dependency status

The port is controlled by dashboard_port in seerflow.yaml (default 8080).

The dashboard is a single-page app with a persistent left sidebar and a top bar. The sidebar groups screens into three sections:

SectionScreens
MonitorOverview · Alerts · Events
InvestigateEntities · ATT&CK · Hunt
ConfigureSigma rules · Receivers · Models · Settings

The pipeline status (online indicator, uptime, events/sec) sits at the bottom of the sidebar. The top bar carries the breadcrumb, a command search (⌘K), the active time window, the light/dark theme toggle, and the notifications bell.

A red Disconnected banner appears below the top bar whenever the WebSocket drops.

Hunt, Receivers, Models, and Settings are placeholder screens in the current release.

The landing screen is a two-column roll-up of pipeline health:

  • KPI strip — events/sec, active entities, open alerts, and mean ingest latency
  • Event volume by severity — stacked info / warn / critical volume over the recent window
  • Recent alerts — the latest alerts with severity, rule, entity, and risk score
  • Top risk entities — risk-ranked entities for the last 24h

The Alerts screen is a SOC-style triage console. A live alert feed combines the WebSocket alert stream with a GET /api/v1/alerts backfill, then adds status tabs, severity / type / source / tactic filter chips, a volume strip, and an 8-column triage table. Selecting an alert opens its detail view with contributing events and MITRE context.

The Events screen pairs a live raw event stream (left) with a per-event inspector (right). A client-side query language filters the stream by field, template, entity, or free text.

The Entities screen is an interactive entity graph (Cytoscape). Selecting an entity — from search, an alert, or another node — centres it as the focal node with its related neighbours (users, hosts, IPs, services, processes) drawn around it.

  • Filter by entity type, minimum risk, and time window (15m / 1h / 24h / 7d)
  • Switch layout between force, radial, and hierarchy
  • The right-hand inspector shows the focal entity’s risk, event/neighbour/alert counts, linked alerts, and a recent-event timeline

Entity selection is reflected in the URL hash, so links can be shared.

Entity graph: focal entity with related neighbours, type/risk/time filters, and the entity inspector panel

The ATT&CK screen is the MITRE ATT&CK heatmap — every Sigma rule contributes to one or more (tactic, technique) cells across the canonical 14-tactic grid. Detected techniques are highlighted; hovering a cell lists the rules. Useful for spotting blind spots before a hunt.

ATT&CK coverage heatmap with detected techniques highlighted

Click any covered cell to drill in — the panel shows the rules contributing to the technique and recent alerts in the window:

ATT&CK technique drilldown panel — contributing rules and recent alerts

The Sigma rules screen lists every rule loaded by the engine — bundled SigmaHQ rules plus any custom directories from detection.sigma_rules_dirs. Filter by status, precision, or free text; toggle a rule on/off (changes are persisted).

Sigma rules table with tactic, 24h hit count, and precision

Click any row to open the detail panel — full YAML in a Monaco editor, a 24-hour fire sparkline, severity, logsource, and ATT&CK tags side-by-side:

Sigma rule detail: SSH brute force rule with YAML editor, 24h sparkline, and ATT&CK tags

The dashboard uses URL hash fragments for shareable views — no server-side routing:

HashView
#/overview (or empty)Overview
#/alerts, #/alerts/<id>Alert feed / alert detail
#/eventsEvent stream
#/entities, #/entities/<uuid>Entity graph / focal entity
#/attackATT&CK heatmap
#/sigma, #/sigma/<id>Sigma rules / rule detail

Legacy deep links (#coverage, #sigma-rules, #entity=<uuid>) are still accepted and normalised to the new format.

Light and dark themes are both first-class. Toggle from the top bar. The choice is stored in localStorage so it survives reload.

  • The dashboard wheel ships pre-built; no Node toolchain is needed at runtime.
  • Static assets are served by FastAPI from inside the wheel — there is no separate web server to manage.
  • For a hardened deployment, put nginx or a cloud LB in front and bind dashboard_port to a private address; expose only that LB.
  • For container runs, override health_bind_address: 0.0.0.0 so the health probe is reachable by orchestrators.