Skip to content
Seerflow

Dashboard Overview

Seerflow ships with a React dashboard served from the same FastAPI process that runs the ingest pipeline. There is no second uvicorn, no separate frontend deploy — seerflow start boots receivers, detection, correlation, and the dashboard all on one port.

Default widget grid: alert feed, anomaly timeline, entity explorer, event stream

Surfaces

Section titled “Surfaces”
SurfaceURLPurpose
Dashboard UIhttp://127.0.0.1:8080/Customizable widget grid + entity explorer
REST APIhttp://127.0.0.1:8080/api/v1/Programmatic access — see REST API
WebSocketws://127.0.0.1:8080/api/v1/wsLive event + alert stream — see WebSocket
Health probehttp://127.0.0.1:8080/api/v1/healthLiveness + dependency status

The port is controlled by dashboard_port in seerflow.yaml (default 8080).

Layout

Section titled “Layout”

The dashboard is a draggable, resizable widget grid powered by react-grid-layout. Each widget connects to the live WebSocket stream and the REST API independently.

Top bar:

  • Wordmark / Home — return to the default widget grid
  • Entity search — fuzzy search across IPs, users, hosts, processes, files, domains; pick a result to open the entity detail view
  • Add widget — drop a new widget onto the grid
  • Reset layout — restore default widget arrangement
  • Sigma rules — open the rule library
  • ATT&CK coverage — open the MITRE technique heatmap
  • Theme toggle — light/dark; preference is persisted in localStorage

A red Disconnected banner appears across the top whenever the WebSocket drops.

Widgets

Section titled “Widgets”
WidgetShowsBacked by
Alert FeedLive alert stream with severity, rule, entities, MITRE tagsWS alert messages + GET /api/v1/alerts backfill
Event StreamLive raw events with template + entitiesWS event messages
Anomaly TimelineAnomaly score over time, blended + per-detectorGET /api/v1/anomaly/timeline
ATT&CK HeatmapMITRE technique counts on the canonical 14-tactic gridGET /api/v1/attack/coverage
Entity ExplorerRisk-ranked entities; click through to detailGET /api/v1/entities/search
Sigma RulesLoaded rule catalog with tactic filters, edit, enable/disableGET /api/v1/sigma/rules, PATCH /api/v1/sigma/rules/:id
Stats CardThroughput, queue depth, dedup count, model stateGET /api/v1/stats

Widgets are virtualized (@tanstack/react-virtual) so long feeds stay smooth at 10K+ rows.

Entity Detail

Section titled “Entity Detail”

Selecting an entity from search, the alert feed, or the explorer opens the entity detail view:

  • Risk-score timeline (decayed per-entity risk over the past 24h)
  • Event timeline grouped by Drain3 template
  • UEBA baseline summary (warm-up status, top templates, source-IP spread)
  • Related entities pulled from the entity graph (igraph / FalkorDB / Postgres+AGE)

Entity selection is reflected in the URL hash, so links can be shared.

Entity detail view: risk sparkline, range/severity/source filters, event timeline, and related-entities panel

ATT&CK Coverage

Section titled “ATT&CK Coverage”

Opens the MITRE ATT&CK heatmap — every Sigma rule contributes to one or more (tactic, technique) cells. Hovering a cell lists the rules; clicking opens a drilldown panel with the matching rules and recent alerts. Useful for spotting blind spots before a hunt.

ATT&CK Coverage Matrix with covered techniques highlighted

Click any covered cell to drill in:

ATT&CK technique drilldown panel — rules contributing to the technique and recent alerts in the window

Sigma Rules

Section titled “Sigma Rules”

The Sigma Rules page lists every rule loaded by the engine — bundled SigmaHQ rules plus any custom directories from detection.sigma_rules_dirs. Filter by tactic, technique, logsource, or free text. Toggle a rule on/off (changes are persisted) or open the YAML to review the detection condition.

Sigma rules table with severity, logsource, ATT&CK technique, fire counts, and per-rule enable toggles

Click any row to open the detail panel — full YAML in a Monaco editor, 24-hour fire sparkline, severity, logsource, and ATT&CK tags side-by-side:

Sigma rule detail panel: SSH brute force rule with YAML editor, 24h sparkline, ATT&CK technique chip, and lifetime/24h fire counts

URL Hash Routing

Section titled “URL Hash Routing”

The dashboard uses URL hash fragments for shareable views — no server-side routing:

HashView
emptyDefault widget grid
#coverageATT&CK heatmap
#sigma-rulesSigma rules page
#entity=<uuid>Entity detail

Theming

Section titled “Theming”

Light and dark themes are both first-class. Toggle from the top bar. The choice is stored in localStorage so it survives reload.

Production Notes

Section titled “Production Notes”
  • The dashboard wheel ships pre-built; no Node toolchain is needed at runtime.
  • Static assets are served by FastAPI from inside the wheel — there is no separate web server to manage.
  • For a hardened deployment, put nginx or a cloud LB in front and bind dashboard_port to a private address; expose only that LB.
  • For container runs, override health_bind_address: 0.0.0.0 so the health probe is reachable by orchestrators.