chenleiv/signal-forge

# SignalForge A real-time Security Operations Center (SOC) dashboard built with Angular 19 and FastAPI. Simulates live threat intelligence with animated attack maps, analytics charts, incident management, and AI-powered threat analysis. ## Features - **Live SOC Stream** — real-time threat event feed over WebSocket with severity color coding - **Analytics Dashboard** — severity distribution, attack types, events-per-minute trend, and top attacking IPs (Apache ECharts) - **Threat Map** — animated D3.js world map showing attack origin → target lines in real time - **Threat Intelligence** — IP index with split-view detail panel, MITRE ATT&CK tags, event timeline, and AbuseIPDB enrichment - **AI Analysis** — per-IP threat summaries generated by Groq (Llama 3.1) displayed inline in the detail panel - **Incidents** — auto-generated incident log with split-view details, status tracking, and analyst assignment - **Alerts** — live alert feed with severity filters (Critical / High / Medium / Low) and dismiss functionality - **Command Console** — terminal panel (toggle with `` ` ``) with commands: `help`, `status`, `block ip`, `unblock ip`, `scan` - **Authentication** — JWT login with 8-hour session, persistent via localStorage, demo access included - **Settings** — configurable WebSocket URL, reconnect delay, buffer size, alert thresholds, and analyst profile ## Tech Stack | Layer | Technology | |-------|-----------| | Frontend | Angular 19, standalone components, Signals API | | Charts | Apache ECharts via ngx-echarts | | Map | D3.js v7 + topojson-client | | Backend | FastAPI, WebSockets, uvicorn | | AI | Groq API — Llama 3.1 8B Instant | | Threat Intel | AbuseIPDB API (IP reputation enrichment) | | Auth | JWT via python-jose | | Styling | SCSS, enterprise dark theme | ## Project Structure signalforge/ ├── backend/ │ ├── main.py # FastAPI — WebSocket, REST, auth, AI, command endpoints │ └── requirements.txt └── frontend/ └── src/app/ ├── core/ │ ├── services/ # ThreatStore, Threats, Settings, Auth │ └── guards/ # Auth guard (canActivate) ├── shared/ │ └── models/ # TypeScript interfaces ├── layout/ # AppLayout shell — sidebar, topbar, command console └── features/ ├── dashboard/ # Live stream, ECharts panels, critical alerts ├── threat-map/ # D3 animated world map ├── threats/ # IP intelligence — split view (table + detail panel) ├── alerts/ # Live alert feed with filters ├── incidents/ # Incident management — split view (table + detail panel) ├── command-console/ # Terminal overlay ├── login/ # JWT login page └── settings/ # App configuration ## Getting Started ### Prerequisites - Node.js 18+ - Python 3.9+ - Angular CLI (`npm install -g @angular/cli`) ### Backend cd backend python3 -m venv venv source venv/bin/activate pip install -r requirements.txt # Optional: set API keys for enrichment and AI features export GROQ_API_KEY=your_key export ABUSEIPDB_API_KEY=your_key python3 -m uvicorn main:app --reload Backend runs on `http://localhost:8000`. API docs at `http://localhost:8000/docs`. ### Frontend cd frontend npm install ng serve App runs on `http://localhost:4200`. **Demo credentials:** `analyst` / `threatwatcher` — or click **Try Demo** on the login page. ## API Endpoints | Method | Path | Description | |--------|------|-------------| | POST | `/auth/login` | JWT authentication | | WS | `/ws/threats` | Live threat event stream | | GET | `/api/stats` | Aggregated chart data | | GET | `/api/incidents` | Incident list | | GET | `/api/ip/{ip}/history` | Per-IP event history + AbuseIPDB enrichment | | GET | `/api/ip/{ip}/ai-summary` | AI-generated threat summary (Groq) | | POST | `/api/command` | Command console execution | | GET | `/health` | Health check | ## Architecture Browser └── Angular 19 (port 4200) ├── WebSocket → ws://localhost:8000/ws/threats (live events) └── HTTP → /api/*, /auth/* (stats, incidents, AI, auth) FastAPI (port 8000) ├── WebSocket handler → generates ~1 threat/sec, writes to in-memory store ├── POST /auth/login → issues 8-hour JWT ├── GET /api/stats → aggregates ip_store into chart data ├── GET /api/incidents → last 50 auto-generated incidents ├── GET /api/ip/{ip}/history → per-IP events + AbuseIPDB enrichment ├── GET /api/ip/{ip}/ai-summary → Groq Llama 3.1 threat summary (cached) └── POST /api/command → executes console commands (block/unblock/scan/status) The frontend uses a central `ThreatStoreService` (Angular signals) as the single source of truth for all HTTP calls and cached state. WebSocket events are pushed into the store, and all components react to signal changes without direct component-to-component communication.

标签：后端开发