Unified Threat Intelligence Dashboard

SOC teams typically juggle multiple consoles — one for ML detections, another for threat feed matches, a third for SIEM alerts, and yet another for mitigation status. RoutePulse’s Unified Threat Intelligence Dashboard consolidates all of these into a single 5-tab interface, merging ML detections, cyber events, threat feed matches, and active mitigations into one coherent operational view. With 39 built-in threat feeds, 52,000+ indicators in a Bloom filter delivering sub-microsecond lookups, and bidirectional MISP and Wazuh SIEM integration, your SOC gains a comprehensive threat picture without context-switching between tools. Context-aware severity ensures that outbound C2 traffic is immediately flagged as CRITICAL while inbound scanner traffic is appropriately classified as WARNING.

The dashboard’s 5 tabs provide layered operational depth. The Overview tab presents 10 KPI cards, a 24-hour threat timeline, a live threat scoreboard ranked by severity, and a TI hub. The Detection tab visualizes the 3-stage detection pipeline — Stage 1 fast rules executing in under 1ms, Stage 2 statistical analysis using EMA, Z-score, CUSUM, and Shannon entropy in 10-50ms, and Stage 3 AI classification — with event type breakdowns and EMA baselines. The Feeds tab displays an integration strip for MISP (4,894 events, 9.5M attributes from soc.goline.ch) and Wazuh (295 agents), alongside feed status monitoring, indicator search, and top matched hosts. The Events tab provides distribution charts and a live event feed with expandable rows and category-specific detail panels. The Scoring tab delivers a 5-pillar unified threat scoring visualization with per-host gauges and pipeline summaries. Under the hood, 37 named detection rules cover volumetric DDoS, SYN flood, amplification, port scanning, DNS tunneling, slowloris, and more, while temporal decay with 7-day half-life, multi-feed consensus boost, and campaign fingerprinting (5+ IPs from the same ASN/feed in 1 hour) ensure threat scores reflect current reality.

Key Capabilities

• 5-tab unified SOC dashboard merging ML detections, cyber events, threat feed matches, and mitigations into a single pane of glass
• Overview tab: 10 KPI cards, 24-hour threat timeline, live threat scoreboard ranked by severity, and TI hub
• Detection tab: 3-stage pipeline visualization — fast rules under 1ms, statistical analysis (EMA/Z-score/CUSUM/Shannon entropy) in 10-50ms, AI classification
• Feeds tab: MISP integration (4,894 events, 9.5M attributes) and Wazuh SIEM bidirectional integration (295 agents), feed status monitoring, indicator search
• Events tab: distribution charts with live event feed, expandable rows, and category-specific detail panels
• Scoring tab: 5-pillar unified threat scoring visualization with per-host gauges and pipeline summaries
• 39 built-in threat feeds including Spamhaus DROP/DROPv6/ASN-DROP, Feodo, ThreatFox, URLhaus, FireHOL L1/L2, IPsum, ET Compromised, CISA KEV, and 25+ more
• 52,000+ threat indicators in Bloom filter with sub-microsecond lookup against every flow
• 37 named detection rules spanning volumetric DDoS, SYN flood, amplification, port scanning, DNS tunneling, slowloris, and more
• Temporal decay with 7-day half-life, multi-feed consensus boost, and campaign fingerprinting (5+ IPs from same ASN/feed in 1 hour)
• Context-aware severity: outbound C2 traffic classified as CRITICAL, inbound scanner traffic as WARNING
• Bidirectional Wazuh SIEM integration: syslog export to Wazuh plus OpenSearch alert import

Engineered and operated by the GOLINE SOC & Network Engineering team.