Threat Intelligence Feeds

Real-time threat advisory dashboard displaying ingested advisories from multiple security intelligence sources with severity filtering and feed status monitoring.

Complete Frontend Only Auto-Refresh 60s

Overview

The Threat Feeds page provides a streamlined operations dashboard for monitoring incoming threat intelligence advisories across all configured feed sources. While the Threat Advisories page focuses on detailed advisory cards with protection mapping, and the Threat Intel Platform provides full IOC management, this page serves as a quick-reference feed monitor for SOC operators.

It displays summary statistics, individual feed source status cards, severity-filtered advisory lists, and auto-refreshes every 60 seconds to maintain real-time visibility.

Note: This page is a frontend-only component that consumes the /api/v1/advisories/stats endpoint from the Threat Advisories backend. It does not have its own dedicated API router.

What Was Proposed

Operations-focused dashboard for monitoring threat feed health
Summary statistics: total advisories, breakdown by severity (critical/high/medium/low)
Feed source status grid showing each source's activity state and advisory count
Filterable advisory list with severity badges
Auto-refresh every 60 seconds
Manual refresh button for on-demand updates

What's Built

Frontend Component Features

Summary cards showing total advisories and per-severity counts (critical=red, high=orange, medium=yellow, low=blue)
Feed source grid with 6 feed icons (CISA, MITRE, OTX, Abuse, ET, VT) showing active/disabled status and advisory count per source
Severity filter bar with pill buttons (All, Critical, High, Medium, Low)
Advisory list table with columns: Advisory title, CVE badges, Severity badge, Source name, Published date
Loading spinner during data fetch
Error banner for API failures
Auto-refresh via setInterval(fetchData, 60000)
Consumes /api/v1/advisories/stats endpoint for all data

Data Types

interface Advisory {
  id: string;
  title: string;
  severity: string;        // critical | high | medium | low
  source: string;
  advisory_type: string;
  published: string;
  description?: string;
  cves?: string[];
  mitre_tactics?: string[];
}

interface FeedStatus {
  name: string;
  enabled: boolean;
  last_refresh?: string;
  advisory_count: number;
}

interface DashboardData {
  total_advisories: number;
  by_severity: Record<string, number>;
  by_type: Record<string, number>;
  feeds: FeedStatus[];
  recent_advisories: Advisory[];
}

Architecture

Data Flow

Frontend Page → GET /api/v1/advisories/stats → Advisories Router → ThreatAdvisoryEngine.get_stats()

This page reuses the backend from the Threat Advisories module. No separate service or router required.

Routing

Frontend Route

/threat-feeds — Standalone Next.js page component.

API Endpoint (consumed)

GET /api/v1/advisories/stats

Returns total count, by_severity, by_type, feeds array, and recent_advisories. Shared with the Threat Advisories module.

Prerequisites

Threat Advisories backend must be running (provides the /api/v1/advisories/stats endpoint)
Frontend API client configured at @/lib/api-client
Lucide React icons library for UI icons (Rss, Shield, AlertTriangle, RefreshCw, ExternalLink, Clock, Loader2)

Data Model

No dedicated data model -- this page consumes data from the Threat Advisories backend. See the Threat Advisories documentation for the underlying data model.

Feed Source Icons

Feed Key	Display Label
`cisa_kev`	CISA
`mitre_cve`	MITRE
`alienvault_otx`	OTX
`abusech`	Abuse
`emerging_threats`	ET
`virustotal`	VT

UI Description

The frontend at /threat-feeds provides:

Header -- RSS icon, "Threat Intelligence Feeds" title, source count subtitle, cyan "Refresh Feeds" button
Summary Cards -- 5-column grid: Total Advisories, Critical (red), High (orange), Medium (yellow), Low (blue) -- each with large numeric counter
Feed Sources Grid -- 6-column grid of feed status cards, each showing: circular icon with feed abbreviation, feed name, advisory count, active/disabled status badge
Filter Bar -- Pill-style severity filter buttons with active state highlighting in cyan
Advisory Table -- Grid-layout table with Advisory title (+ CVE sub-badges), Severity badge (color-coded with border), Source name, Published date with clock icon
States -- Loading spinner (cyan), error banner (red), empty state for no matching advisories

Design note: This page uses a dark theme (gray-900 background, gray-800 borders) with cyan (#06b6d4) accent color, contrasting with the white-theme used by other pages. This matches the legacy SOC dashboard aesthetic.

Source Files

Component	Path
Frontend Page	`platform/frontend/src/app/threat-feeds/page.tsx`
API (shared)	`platform/api/app/routers/advisories.py`
Service (shared)	`platform/api/app/services/threat_advisory_service.py`