{{ pageTitle }}
{{ pageCrumb }}
{{ okCount }}ok {{ warnCount }}warn {{ critCount }}crit
{{ clock }}
{{ clockDate }} UTC
Context {{ c.k }} {{ c.v }} {{ timeRange }} window
Open by severityCases →
{{ s.label }}
{{ s.count }}
Threat activity · {{ timeRange }} ▲ SPIKEThreat intel →
-24h{{ threatTotal }} alertsnow
{{ topThreeTitle }}
{{ t.rank }}
{{ t.name }}
{{ t.meta }}
{{ t.count }}
Cross-Tenant Status · worst-first security posture · web-ops secondary
Site
Status
Incidents
Last det.
Agents
Protection
Uptime·SSL·WAF·Atk
← All tenants
{{ tv.name }}
Grafana org {{ tv.org }} · {{ tv.siteCount }} sites monitored
{{ tv.healthLabel }}
Open org in Grafana ↗
{{ tv.isoNote }}
Client Profile
Organization
{{ r.k }} {{ r.v }}
Authorization
{{ r.k }} {{ r.v }}
Primary contact
Primary Report recipient
{{ tv.primaryName }}
{{ tv.primaryEmail }} {{ tv.primaryPhone }}
Escalation path
{{ tv.escalationPath }}
Sites
← {{ sd.tenantName }}
{{ sd.domain }}
{{ sd.tenantName }} · org {{ sd.org }}
{{ sd.statusLabel }}
{{ p.label }}
Per-site dashboard ↗
{{ s.label }}
{{ s.value }}
{{ s.sub }}
Raw Security Events click a row to investigate
Time
Source
Event
Verdict
Investigate
{{ e.time }}
{{ e.src }}
{{ e.title }}
{{ e.meta }}
{{ e.verdict }}
Explore ↗
Scope
Open in Explore ↗
IOC Matches · our assets ↔ known-badrule.groups:misp_ioc_match
Indicator
Type
Asset
MISP event
Last seen
Action
{{ m.ioc }}
{{ m.type }}
{{ m.tenantName }} · {{ m.asset }}
{{ m.event }}
{{ m.lastSeen }}
Explore
No IOC matches in window — no asset touched a known-bad indicator. ✓
IOC lookup
{{ iocResult.verdict }}{{ iocResult.q }}
{{ iocResult.detail }}
Queries the MISP attributes API — known-bad? which event · seen on which of our assets · suggested action.
Attacker activity · supporting context
Legend blocked challenged allowed / observed
Global Attacker IPs
Source IP
Country
ASN
Hits
Verdict
Action
{{ a.ip }}
{{ a.country }}
{{ a.asn }}
{{ a.hits }}
{{ a.verdict }}
Origin by Country
{{ c.country }}{{ c.count }}
Top MITRE Techniques
{{ t.name }}
{{ t.tactic }}
{{ t.count }}
Detection queue · Wazuh alerts
Open in Explore ↗ (deep-dive in SIEM)
Rule
Level
Tenant · agent
When
Action
{{ a.rule }}
rule {{ a.ruleId }} · {{ a.groups }}
L{{ a.level }}
{{ a.tenantName }} · {{ a.agent }}
{{ a.when }}
Explore
{{ k.label }}
{{ k.value }}
{{ k.sub }}
CVE exposure · wazuh-states-vulnerabilitiesCVE dashboard ↗
Package
CVE
CVSS
Tenant · agent
Fix
{{ v.pkg }}
{{ v.cve }}
{{ v.cvss }}
{{ v.tenantName }} · {{ v.agent }}
{{ v.fix }}
Posture by tenant · Wazuh SCA + framework rule tags
{{ c.tenantName }}org {{ c.org }}
{{ f.name }}{{ f.score }}%
Compliance report ↗
{{ k.label }}
{{ k.value }}
{{ k.sub }}
Per-tenant SLA · MTTA / MTTR vs contractual target
Tenant
MTTA
Target
MTTR
Status
{{ r.tenantName }}
{{ r.mtta }}
{{ r.target }}
{{ r.mttr }}
{{ r.statusLabel }}
Client-facing PDF reports · white-labeled under 365SMG · availability gated by service plan. Open a report to preview, then print to PDF.
Period June 2026
Client
{{ reportSel.plan }} {{ reportSel.availLabel }}
{{ rep.title }} {{ rep.badge }}
{{ rep.cadence }}
Template in build Requires {{ rep.reqPlan }}
Live data seam: reports currently render representative figures. The orchestrator will populate them from Wazuh (detections/agents), Loki + Grafana (WAF/uptime), IRIS (cases), and the vuln feed — see docs/CLIENT_REPORTS.md.
DFIR-IRIS · alerts pushed from the SOC portal → escalate to cases
Ref
Severity
Title / scope
IRIS object
Investigate
{{ c.ref }}
{{ c.sevLabel }}
{{ c.title }}
{{ c.scope }} · {{ c.created }}
{{ c.objLabel }}
{{ c.objSub }}
Open ↗
{{ respGateTitle }}
{{ respGateSub }}
/console reference ↗
{{ k.label }}
{{ k.value }}
{{ k.sub }}
Filter
AUTO → PROPOSE = would auto-contain when armed (near-certain + reversible) · PROPOSE = always needs a human (higher FP) · ♻ Reversible = analyst approve is the 2nd eye · ⚠ Irreversible = needs a named 2nd approver
{{ p.actionIcon }} {{ p.actionLabel }} {{ p.confLabel }} {{ p.revLabel }} {{ p.id }} · {{ p.ago }} ago
{{ p.rule }}
{{ p.tenantName }} · agent {{ p.agent }} ({{ p.host }}){{ p.targetLine }}
{{ p.reason }}
View alert / case ↗
{{ p.resultText }}
{{ p.gateNote }}
No pending proposals — you're clear. ✓
Currently contained — reverse when triage clears. Each reverse runs through respond() and is audited.
{{ c.kindLabel }}{{ c.host }}
{{ c.tenantName }} · {{ c.detail }}
No active containments. Isolated hosts and quarantined files appear here for one-click reversal.
Time
Action
Tenant · agent
Requested by
Approved by
Result
{{ a.at }}
{{ a.actionLabel }}
{{ a.tenantName }} · {{ a.agent }}
{{ a.requester }}
{{ a.approver }}
{{ a.result }}
No actions yet this session. Approvals, dismissals, and reversals are logged here (append-only audit).
Scope
live · updated {{ siemUpdatedAgo }} · auto-refresh 30s
{{ siemHost }}
Open Grafana Explore ↗
{{ h.label }}
{{ h.value }}
{{ h.sub }}
Per-client telemetry · worst first
{{ c.name }}
{{ c.slug }}
Agents
{{ c.agents }}
{{ c.discNote }}
Alerts
{{ c.alerts }} {{ c.trendLabel }}
this window
Critical
{{ c.critical }}
L≥12
Top rule{{ c.topRule }}
Ingest freshness{{ c.fresh }}
Grafana dashboards · {{ launcherCount }} deep-link · no token · Cloudflare Access authenticates you
Live thumbnails need a server-rendered PNG (Grafana image-renderer + Viewer service-account token, proxied by the backend). Preview shows mock charts; deep-links always work.
{{ d.name }}
{{ d.healthLabel }}
{{ d.detail }}
{{ d.iso }}
{{ k.label }}
{{ k.value }}
{{ k.sub }}
Plan catalog · entitlements
{{ p.label }}{{ p.price }}/mo
{{ p.limitsLine }}
{{ ft.sym }}{{ ft.label }}
Tenant subscriptions · usage vs. plan · synced from Zoho
Open Zoho Billing ↗
Tenant
Plan
Usage vs. limits
Invoice
MRR
Actions
{{ b.name }}
{{ b.zohoId }}
{{ b.plan }}
{{ b.addonLine }}
{{ m.label }}{{ m.text }}
{{ b.invLabel }}
auto-suspend pending
{{ b.mrr }}
Zoho ↗
Total MRR
{{ totalMrr }}
Zoho is the billing system of record & customer-facing surface (hosted invoices + client portal). This screen is internal control/visibility only — no card data is handled here. Enforcement: UI upsell → orchestrator gate → provisioning limits → auto-suspend on non-payment. See docs/BILLING_ENTITLEMENTS.md.
!{{ respConfirm.title }}
{{ respConfirm.body }}
On-demand mitigation
POST /ui/respond → respond() gatekeeper (RBAC · tenant scope · four-eyes · audit)
Action
{{ a.icon }}
{{ a.label }}
{{ respActionDesc }} · destructive — four-eyes required
Runs as {{ analystUser }} ({{ analystRole }}) over the reliable manager→agent SSH path. Reversible action; appended to the audit log + IRIS.
Manage subscription · {{ manage.name }}
Pushes to Zoho {{ manage.zohoId }} — PUT /subscriptions (plan) + add-on line items
Plan
{{ p.label }}
{{ p.price }}/mo
Extra services (add-ons)
{{ a.check }}{{ a.label }}
{{ a.price }}
New MRR {{ manage.newMrr }}
Send to DFIR-IRIS
Creates an IRIS alert (POST /api/v2/alerts) via the n8n webhook — escalate to a case in the queue
{{ toast }}
SOC Operations Manual Read-only
Runbooks & references · {{ manualCount }} docs · ▦ opens here · ↗ opens in repo
{{ docViewName }}
{{ docViewPath }}
Read-only
{{ reportTitle }} {{ reportTenantName }}
Send report to client
Deliver {{ sendReportTitle }} for {{ sendTenantName }} to the primary contact:
{{ sendName }}
{{ sendTo }}
A branded PDF is rendered server-side and emailed. The send is logged to the audit trail. (mock — TODO: integrate report delivery)
Edit client profile
Primary contact (intake.contacts · report recipient)
Tenant (intake.tenant)
Delete / offboard tenant
This queues offboarding for {{ deleteName }}: revoke its Grafana org, remove the Wazuh agent group + OpenSearch DLS, and archive the client registry. This is destructive and cannot be undone from here.