Operating

Appliance Portal

The Appliance Portal is the primary management UI for CoreDetection. It runs as coredetection-portal.service and proxies engine API calls so you never expose the raw detection API to browsers.

After install, open the Appliance Portal from your server. Default admin: admin@local (change the password under Settings → Users).
SectionPagesPurpose
OperationsDashboard, Attack History, Traffic MonitorLive status, forensic history, flow analytics
MitigationBGP & Mitigation, FlowSpec, BlocklistPeers, exporter map, FlowSpec rules, threat feeds
SettingsDetection, Notifications, System, ExpertThresholds, alerts, updates, raw config.ini editor
AdministrationUsers, LicensePortal accounts and license activation

Dashboard

The home screen shows engine health, active attack count, 24h/7d totals, peak bandwidth, live attack feed, component status (license, detection, database, BGP, disk, memory), and recent webhook history.

CoreDetection dashboard with engine status, attack metrics, and component health
Dashboard — live metrics and component health
Dashboard traffic history chart with protocol, source AS, country, and port breakdown
24-hour traffic history and top talkers (protocol, AS, country, ports)

Attack History

Filterable timeline of all attacks stored in the portal database (from engine webhooks). Search by IP or attack ID, filter by period, severity, mitigation status, and export CSV.

Attack History table with severity, peak bandwidth, mitigation status, and filters
Attack History — searchable timeline with severity and mitigation columns

Attack detail view

Click any attack to open forensic detail: global source map, top source IPs, countries, ASNs, Smart Detection breakdown, flow samples, and mitigation metadata (including which exporter triggered the event and which BGP neighbor was selected).

Attack detail page with world map, top sources, countries, and ASNs
Attack detail — geographic source map and top talkers

Traffic Monitor & Flow Analysis

Traffic Monitor embeds the flow analytics console (Akvorado-style) for deep drill-down: stacked area charts by SrcAS, time ranges, filter queries like InIfBoundary = external, and dimension breakdowns.

Traffic Monitor with stacked area chart by source AS over six hours
Traffic Monitor — flow analytics with SrcAS dimension

Flow Analysis (dashboard widget) shows live NetFlow ingest metrics: flow rate, current/peak bandwidth, exporter health, and last-seen flow details.

Flow Analysis panel showing flow rate, bandwidth, and exporter health
Flow Analysis — live ingest metrics and exporter status

BGP & Mitigation

The BGP & Mitigation page (/bgp) is the control center for peering and selective mitigation:

TabWhat you configure
NeighborsAdd/edit BGP peers, session state, reset sessions
Exporter mapMap NetFlow exporter name/IP → BGP neighbor for selective mitigation
PolicyAnnounce gates (LOW/MEDIUM/HIGH/CRITICAL), communities
SessionsLive session uptime, routes sent/received
Manual / Attack / All routesView and manage announced routes

See BGP Setup → Exporter map and FlowSpec → Exporter map for how selective export works.

FlowSpec

The FlowSpec page (/flowspec) lets you enable targeted filtering, set default action (drop / rate-limit / accept / redirect / mark), add manual rules, and apply changes to BGP peers without restarting the engine.

  • Automatic attack rules — exported only to neighbors resolved by the exporter map
  • Manual and blocklist rules — exported to all enabled BGP peers

Blocklist

Manage threat feed ingestion and FlowSpec enforcement. Requires FlowSpec enabled on peers. See IP Blocklist guide.

Settings hubs

HubContains
DetectionThresholds, timing, display limits, Smart Detection, trusted ASN/destinations, pseudo-L7
NotificationsTelegram/email alerts, webhooks
SystemDatabase, Engine API, monitoring, Appliance Update, maintenance, debug
ExpertRaw config.ini editor with secret masking, engine restart, live logs

Appliance Update

Settings → System → Updates compares installed versions (Detection Engine, Flow Engine, Portal) against latest.json and installs the published bundle with one click. See Installation → Updates.

Config Editor (Expert)

Settings → Expert shows a readable JSON view of the live engine config (secrets redacted), or edit config.ini directly with validation and one-click engine restart.

License

Settings → License displays the Server ID, license upload, and Enable detection button. See Installation → After install.

How the portal talks to the engine

Browser requests go to /api/proxy/… on the portal. The portal injects the engine API key server-side and forwards to localhost:9009/CoreDetection/api/v0/…. This keeps your API key off client machines.

Next steps