SecPurityAI • Events & Alerts
What do these numbers mean?
Totals: total events stored in Postgres.
Normalized: events that passed parsing & were converted into our ECS‑lite JSON (queried via
Quarantined: events that failed data‑quality checks (kept for review, excluded from analytics).
Normalized: events that passed parsing & were converted into our ECS‑lite JSON (queried via
/metrics/summary).Quarantined: events that failed data‑quality checks (kept for review, excluded from analytics).
Stores: live health of backends — PG (Postgres), MinIO (object store for raw/normalized blobs & models), Qdrant (vector search for “similar events”), and Neo4j (graph relations). “ok” = reachable now.
Totals
—
Events ingested
Normalized
—
Valid ECS-lite
Quarantined
—
Failed DQ checks
Stores
PG: — ·
MinIO: — ·
Qdrant: — ·
Neo4j: —
What is “Explore Similar Events”?
Paste an Event ID to find neighbors in vector space (stored in Qdrant). The backend builds a text+tabular embedding and returns the top matches by cosine similarity.
- Limit: number of neighbors to return (1–50).
- Similar button in tables pre-fills the ID for convenience.
Explore Similar Events
Tip: Open any event, then use Similar from the drawer to jump here pre-filled.
Query Events
How to use the Events panel
Filters: free‑text searches message, id, and labels. You can also filter by tenant, sensor, and label strings.
Time range: set
Limit: page size. Use the pager below the table to navigate.
Time range: set
From / To (browser local time; sent as ISO to the API).Limit: page size. Use the pager below the table to navigate.
Auto refresh: re-run the query every 5s (handy for live feeds).
Export: downloads the current query as
Row actions: open details, copy ID, or run a Similar search on the specific event.
Export: downloads the current query as
CSV or NDJSON.Row actions: open details, copy ID, or run a Similar search on the specific event.
—
| Time | Tenant | Sensor | Message | Labels | ID |
|---|
Alerts
About Alerts
Severity: CRITICAL/HIGH/MEDIUM/LOW as provided by the sensor (e.g., Suricata/NVD/KEV).
Rule: rule identifier from the source sensor (when available).
Event: the underlying event ID this alert references — open it to inspect the raw payload.
Rule: rule identifier from the source sensor (when available).
Event: the underlying event ID this alert references — open it to inspect the raw payload.
Quick:
- KEV only — filter to Known Exploited Vulnerabilities alerts.
- All — clear alert filters.
- Sync KEV now — pull the latest KEV feed and generate alerts.
—
| Time | Severity | Tenant | Sensor | Rule | Title | Event |
|---|
Assets
What are Assets?
Assets represent hosts or applications you manage. Use search to filter by vendor/product/hostname.
Columns include: Hostname, IP, Vendor, Product, Version, CPE,
Criticality (1–5), and Owner. “Add Example Host” posts a sample asset for demo purposes.
Impacts (CVE ➜ Assets)
About CVE ➜ Asset Impacts
This panel shows matches between vulnerability records (e.g., KEV/NVD) and your assets based on CPE/vendor/product/version.
- CVE — vulnerability identifier (e.g., CVE‑2025‑12345).
- Severity — source-provided rating (if available).
- Match reason — why the asset matched (e.g., CPE alignment or explicit vendor/product hit).
- Event — originating event that led to the mapping (truncated ID; click to open in Events).
Settings & API Key
About API Key
Most API calls (assets, impacts, KEV sync) require an
Future settings will live here (e.g. default auto-refresh).
X-API-Key header. Use the field below to store your API key in local storage. This page never transmits your key anywhere except when calling your own API.Future settings will live here (e.g. default auto-refresh).