ui

compose-overrides/soc-integrator.yml

       - LOG_LEVEL=${LOG_LEVEL:-INFO}
     ports:
       - "${SOC_INTEGRATOR_PORT:-8088}:8080"
+    volumes:
+      - ../scripts:/app/scripts:ro
     depends_on:
       soc-integrator-db:
         condition: service_healthy

progress-update.md

 
 - `GET /docs`
 - `GET /openapi.json`
+
+---
+
+Date: March 4, 2026
+Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)
+
+## Appendix C (C1-C3) Production Log Mapping Update
+
+This update documents production log sources and required fields for Appendix C detections implemented in `soc-integrator`.
+
+### C1. Impossible Travel Detection
+
+- Use case:
+  - `C1-01` Impossible Travel
+- Primary production log sources:
+  - VPN authentication success logs
+  - Active Directory / Windows authentication success logs (`event_id=4624`)
+  - Cloud IdP login success logs (Entra/Okta/Google Workspace)
+- Required normalized fields:
+  - `asset.user`
+  - `network.src_ip`
+  - `timestamp`
+  - login success indicator (`payload.success=true` or equivalent)
+  - geo context (`network.country` and `network.src_lat/src_lon`) or GeoIP enrichment from source IP
+- Detection logic summary:
+  - Compare consecutive successful logins for same user
+  - Calculate distance and travel time
+  - Trigger when computed travel speed exceeds threshold (`c1_max_travel_speed_kmph`)
+
+### C2. Advanced Credential Abuse & Privilege Misuse
+
+- Use cases:
+  - `C2-01` Privileged off-hours login
+  - `C2-02` Dormant account activation
+  - `C2-03` Service account interactive logon
+  - `C2-04` Rapid privilege escalation followed by sensitive access
+- Primary production log sources:
+  - Windows Security logs (`4624`, `4672`, `4728`, `4732`, `5145`)
+  - Linux auth/sudo/PAM logs
+  - VPN/IdP authentication logs
+- Required normalized fields:
+  - `asset.user`, `asset.is_admin`, `asset.is_service`
+  - `payload.logon_type`, `payload.event_id`, `payload.action`, `payload.success`
+  - `network.src_ip`, `network.dst_host`, `network.dst_port`
+  - `timestamp`
+
+### C3. Lateral Movement & Internal Reconnaissance
+
+- Use cases:
+  - `C3-01` Multi-host authentication success burst
+  - `C3-02` SMB/RDP lateral movement burst pattern
+  - `C3-03` Admin account accessing many servers rapidly
+  - `C3-04` Internal scanning/enumeration burst
+- Primary production log sources:
+  - Windows authentication and share access logs
+  - East-west firewall telemetry
+  - IDS/NDR internal movement/scanning alerts
+  - Endpoint network telemetry (e.g., Sysmon network events)
+- Required normalized fields:
+  - `asset.user`, `asset.is_admin`
+  - `network.src_ip`, `network.dst_host`, `network.dst_port`
+  - login success indicator where applicable
+  - `timestamp`
+
+### Minimum Windows Event IDs for Initial Rollout
+
+- `4624` Successful logon
+- `4672` Special privileges assigned to new logon
+- `4728`, `4732` Privileged group membership changes
+- `5145` Detailed file share access
+
+### Implementation Note
+
+- Simulation scripts exist for Appendix C validation and UAT replay:
+  - `scripts/send-wazuh-proposal-appendix-c-events.sh`
+- In production, these simulated events are replaced by actual VPN/AD/cloud/endpoint/network telemetry sources listed above.
+
+### Appendix C Production Data Onboarding Checklist
+
+| Source | Log Path / Channel | Must-Have Fields | Use Cases | Verification Query (Wazuh/Indexer) |
+|---|---|---|---|---|
+| VPN Gateway (FortiGate/SSL-VPN) | Syslog export from firewall/VPN device | `timestamp`, `user`, `src_ip`, `action/result`, `event_id` (if mapped), `country` (optional) | C1, C2 | `full_log:*vpn* AND full_log:*user=*` |
+| Active Directory / Windows DC | Windows Security Event Log (agent/forwarder) | `event_id`, `timestamp`, `user/account`, `src_ip` (where present), `logon_type`, `success/failure` | C1, C2, C3 | `rule.id:* AND (data.win.system.eventID:4624 OR full_log:*event_id=4624*)` |
+| Cloud IdP (Entra/Okta/Google) | API export / SIEM connector -> syslog/json | `user`, `src_ip`, `event_time`, `outcome`, `geo.country` (if available), `app/service` | C1, C2 | `full_log:*source=*idp* OR full_log:*okta* OR full_log:*entra*` |
+| Windows Endpoints/Servers | Wazuh agent + Sysmon/Security logs | `event_id`, `user`, `src_ip`, `dst_host`, `dst_port`, `process/action` | C2, C3 | `full_log:*source=windows* AND rule.id:*` |
+| Linux Servers | auth.log / secure / sudo / sshd | `timestamp`, `user`, `src_ip`, `action`, `success` | C2, C3 | `full_log:*sshd* OR full_log:*sudo*` |
+| East-West Firewall | Internal traffic logs (allow/deny/flow) | `src_ip`, `dst_ip/dst_host`, `dst_port`, `action`, `timestamp` | C3 | `full_log:*src_ip=* AND full_log:*dst_port=*` |
+| IDS/NDR | IDS alerts / network detection logs | `src_ip`, `dst_ip/dst_host`, `dst_port`, `signature/category`, `timestamp` | C3 | `full_log:*scan* OR full_log:*lateral* OR full_log:*enumeration*` |
+
+#### Acceptance Checklist (Per Source)
+
+- Parsing/decoder is stable (no malformed key fields in sampled logs)
+- Required fields are present and normalized into event model used by `soc-integrator`
+- Timestamp format is valid ISO-8601 after normalization
+- Sample events can be found in `wazuh-alerts-*` within expected ingestion latency
+- At least one C-use-case evaluation run confirms source contributes to detection context

soc-integrator/Dockerfile

 WORKDIR /app
 
 COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends bash netcat-openbsd \
+    && rm -rf /var/lib/apt/lists/* \
+    && pip install --no-cache-dir -r requirements.txt
 
 COPY app ./app
 

soc-integrator/app/adapters/geoip.py

 
 
 class GeoIpAdapter:
-    def __init__(self, provider: str = "ip-api", cache_ttl_seconds: int = 21600) -> None:
-        self.provider = provider
+    def __init__(self, provider: str = "ipwhois", cache_ttl_seconds: int = 21600) -> None:
+        normalized = (provider or "").strip().lower()
+        if normalized in {"ipwho.is", "ipwhois"}:
+            normalized = "ipwhois"
+        self.provider = normalized or "ipwhois"
         self.cache_ttl_seconds = max(60, int(cache_ttl_seconds))
         self._cache: dict[str, tuple[float, dict[str, Any]]] = {}
 
             out["cached"] = True
             return out
 
-        if self.provider != "ip-api":
-            return {"ok": False, "country_code": None, "error": f"unsupported_provider:{self.provider}"}
+        if self.provider == "ip-api":
+            url = f"http://ip-api.com/json/{candidate}"
+            params = {"fields": "status,message,countryCode,country,lat,lon,query"}
+            async with httpx.AsyncClient(timeout=8.0) as client:
+                response = await client.get(url, params=params)
+                response.raise_for_status()
+                data = response.json() if response.content else {}
 
-        url = f"http://ip-api.com/json/{candidate}"
-        params = {"fields": "status,message,countryCode,lat,lon,query"}
-        async with httpx.AsyncClient(timeout=8.0) as client:
-            response = await client.get(url, params=params)
-            response.raise_for_status()
-            data = response.json() if response.content else {}
+            if str(data.get("status", "")).lower() != "success":
+                return {
+                    "ok": False,
+                    "country_code": None,
+                    "country_name": None,
+                    "error": str(data.get("message") or "lookup_failed"),
+                    "provider": "ip-api",
+                    "ip": candidate,
+                }
 
-        if str(data.get("status", "")).lower() != "success":
-            return {
-                "ok": False,
-                "country_code": None,
-                "error": str(data.get("message") or "lookup_failed"),
+            result: dict[str, Any] = {
+                "ok": True,
+                "country_code": data.get("countryCode"),
+                "country_name": data.get("country"),
+                "lat": data.get("lat"),
+                "lon": data.get("lon"),
                 "provider": "ip-api",
-                "ip": candidate,
+                "ip": data.get("query", candidate),
+                "cached": False,
             }
+        elif self.provider == "ipwhois":
+            url = f"https://ipwho.is/{candidate}"
+            async with httpx.AsyncClient(timeout=8.0) as client:
+                response = await client.get(url)
+                response.raise_for_status()
+                data = response.json() if response.content else {}
+
+            if not bool(data.get("success", False)):
+                return {
+                    "ok": False,
+                    "country_code": None,
+                    "country_name": None,
+                    "error": str(data.get("message") or "lookup_failed"),
+                    "provider": "ipwho.is",
+                    "ip": candidate,
+                }
+
+            result = {
+                "ok": True,
+                "country_code": data.get("country_code"),
+                "country_name": data.get("country"),
+                "lat": data.get("latitude"),
+                "lon": data.get("longitude"),
+                "provider": "ipwho.is",
+                "ip": data.get("ip", candidate),
+                "cached": False,
+            }
+        else:
+            return {"ok": False, "country_code": None, "country_name": None, "error": f"unsupported_provider:{self.provider}"}
 
-        result: dict[str, Any] = {
-            "ok": True,
-            "country_code": data.get("countryCode"),
-            "lat": data.get("lat"),
-            "lon": data.get("lon"),
-            "provider": "ip-api",
-            "ip": data.get("query", candidate),
-            "cached": False,
-        }
         self._cache[candidate] = (now + self.cache_ttl_seconds, result)
         return result

soc-integrator/app/config.py

     c3_scan_port_threshold: int = 20
     c_detection_create_iris_ticket: bool = True
     c_detection_ticket_cooldown_seconds: int = 900
-    geoip_provider: str = "ip-api"
+    geoip_provider: str = "ipwhois"
     geoip_cache_ttl_seconds: int = 21600
 
     shuffle_base_url: str = "http://shuffle-backend:5001"

soc-integrator/app/main.py

 import asyncio
 import logging
-from datetime import datetime, timezone
+import os
+import re
+import shlex
+import subprocess
+import uuid
+from collections import deque
+from datetime import datetime, timedelta, timezone
 from pathlib import Path
 
 from fastapi import Depends, FastAPI, File, HTTPException, Request, UploadFile
     IrisTicketCreateRequest,
     LogLossCheckRequest,
     LogLossStreamCheck,
+    SimLogRunRequest,
     ShuffleLoginRequest,
     ShuffleProxyRequest,
     TriggerShuffleRequest,
 logger = logging.getLogger(__name__)
 UI_DIR = Path(__file__).resolve().parent / "ui"
 UI_ASSETS_DIR = UI_DIR / "assets"
+SIM_SCRIPTS_DIR = Path("/app/scripts")
+SIM_RUN_LOGS_DIR = Path("/tmp/soc-integrator-sim-logs")
 
 wazuh_adapter = WazuhAdapter(
     base_url=settings.wazuh_base_url,
         "last_result": None,
         "last_ticket_ts_by_key": {},
     }
+    app.state.systems_monitor_state = {
+        "last_ok_at": {},
+    }
+    app.state.sim_runs = {}
+    SIM_RUN_LOGS_DIR.mkdir(parents=True, exist_ok=True)
     if settings.wazuh_auto_sync_enabled:
         app.state.wazuh_auto_sync_task = asyncio.create_task(_wazuh_auto_sync_loop())
         logger.info(
             await ll_task
         except asyncio.CancelledError:
             pass
+    sim_runs = getattr(app.state, "sim_runs", {})
+    for run in sim_runs.values():
+        process = run.get("process")
+        if process and process.poll() is None:
+            process.terminate()
 
 
 @app.get(
     return result, matched, severity, confidence
 
 
+def _extract_first_array(payload: object) -> list[object]:
+    if isinstance(payload, list):
+        return payload
+    if not isinstance(payload, dict):
+        return []
+
+    preferred_keys = [
+        "items",
+        "results",
+        "workflows",
+        "apps",
+        "affected_items",
+        "data",
+    ]
+    for key in preferred_keys:
+        value = payload.get(key)
+        if isinstance(value, list):
+            return value
+
+    for value in payload.values():
+        extracted = _extract_first_array(value)
+        if extracted:
+            return extracted
+    return []
+
+
+SIM_SCRIPT_MAP: dict[str, str] = {
+    "fortigate": "send-wazuh-fortigate-test-events.sh",
+    "endpoint": "send-wazuh-endpoint-agent-test-events.sh",
+    "cisco": "send-wazuh-cisco-test-events.sh",
+    "proposal_required": "send-wazuh-proposal-required-events.sh",
+    "proposal_appendix_b": "send-wazuh-proposal-appendix-b-events.sh",
+    "proposal_appendix_c": "send-wazuh-proposal-appendix-c-events.sh",
+    "wazuh_test": "send-wazuh-test-events.sh",
+}
+
+
+def _build_sim_command(payload: SimLogRunRequest) -> list[str]:
+    script_name = SIM_SCRIPT_MAP[payload.script]
+    script_path = SIM_SCRIPTS_DIR / script_name
+    count = max(1, int(payload.count))
+    delay = max(0.0, float(payload.delay_seconds))
+
+    if payload.script == "endpoint":
+        cmd = [
+            "/bin/bash",
+            str(script_path),
+            payload.target or "all",
+            payload.scenario or "all",
+            str(count),
+            str(delay),
+        ]
+    else:
+        cmd = [
+            "/bin/bash",
+            str(script_path),
+            payload.target or "all",
+            str(count),
+            str(delay),
+        ]
+
+    if payload.forever:
+        cmd.append("--forever")
+    return cmd
+
+
+def _serialize_sim_run(run_id: str, run: dict[str, object]) -> dict[str, object]:
+    process = run.get("process")
+    poll_code = process.poll() if process else None
+    return_code = run.get("return_code")
+    if poll_code is not None and return_code is None:
+        run["return_code"] = poll_code
+        return_code = poll_code
+
+    return {
+        "run_id": run_id,
+        "script": run.get("script"),
+        "target": run.get("target"),
+        "scenario": run.get("scenario"),
+        "count": run.get("count"),
+        "delay_seconds": run.get("delay_seconds"),
+        "forever": run.get("forever"),
+        "pid": run.get("pid"),
+        "cmd": run.get("cmd"),
+        "started_at": run.get("started_at"),
+        "stopped_at": run.get("stopped_at"),
+        "running": bool(process and process.poll() is None),
+        "return_code": return_code,
+        "log_file": run.get("log_file"),
+    }
+
+
+def _tail_log_lines(path: Path, limit: int = 200) -> list[str]:
+    line_limit = max(1, min(int(limit), 1000))
+    lines: deque[str] = deque(maxlen=line_limit)
+    try:
+        with path.open("r", encoding="utf-8", errors="replace") as handle:
+            for line in handle:
+                lines.append(line.rstrip("\n"))
+    except FileNotFoundError:
+        return []
+    return list(lines)
+
+
+def _safe_query_token(value: object) -> str | None:
+    text = str(value or "").strip()
+    if not text:
+        return None
+    if not re.fullmatch(r"[A-Za-z0-9_.:-]+", text):
+        return None
+    return text
+
+
+def _parse_iso_datetime(value: object) -> datetime | None:
+    text = str(value or "").strip()
+    if not text:
+        return None
+    if text.endswith("Z"):
+        text = text[:-1] + "+00:00"
+    try:
+        parsed = datetime.fromisoformat(text)
+    except ValueError:
+        return None
+    if parsed.tzinfo is None:
+        parsed = parsed.replace(tzinfo=timezone.utc)
+    return parsed.astimezone(timezone.utc)
+
+
+def _sim_wazuh_query_clauses(run: dict[str, object]) -> list[str]:
+    script = str(run.get("script") or "").strip().lower()
+    target = str(run.get("target") or "all").strip()
+    scenario = str(run.get("scenario") or "all").strip().lower()
+    target_token = _safe_query_token(target)
+    _ = scenario
+
+    clauses: list[str] = ["(full_log:*soc_mvp_test=true* OR data.soc_mvp_test:true)"]
+    if script == "fortigate":
+        clauses.append(
+            "(full_log:*fortigate* OR full_log:*FGT80F* OR full_log:*FGT60F* OR full_log:*FGT40F* "
+            "OR full_log:*FGT501E* OR data.vendor:fortinet OR data.product:fortigate OR data.source:fortigate)"
+        )
+        if target_token and target_token.lower() != "all":
+            clauses.append(f"(full_log:*{target_token}* OR data.model:{target_token})")
+    elif script == "endpoint":
+        if target_token and target_token.lower() != "all":
+            lowered = target_token.lower()
+            if lowered in {"windows", "win"}:
+                clauses.append(
+                    "(full_log:*source=windows* OR full_log:*source=windows_agent* "
+                    "OR data.source:windows OR data.source:windows_agent OR data.platform:windows)"
+                )
+            elif lowered in {"mac", "macos"}:
+                clauses.append(
+                    "(full_log:*source=mac* OR full_log:*source=mac_agent* "
+                    "OR data.source:mac OR data.source:mac_agent OR data.platform:mac)"
+                )
+            elif lowered == "linux":
+                clauses.append(
+                    "(full_log:*source=linux* OR full_log:*source=linux_agent* "
+                    "OR data.source:linux OR data.source:linux_agent OR data.platform:linux)"
+                )
+            else:
+                clauses.append(f"full_log:*{target_token}*")
+        else:
+            clauses.append(
+                "(full_log:*source=windows* OR full_log:*source=windows_agent* "
+                "OR full_log:*source=mac* OR full_log:*source=mac_agent* "
+                "OR full_log:*source=linux* OR full_log:*source=linux_agent* "
+                "OR data.source:windows OR data.source:windows_agent "
+                "OR data.source:mac OR data.source:mac_agent "
+                "OR data.source:linux OR data.source:linux_agent)"
+            )
+    elif script == "cisco":
+        clauses.append("(full_log:*cisco* OR data.vendor:cisco)")
+        if target_token and target_token.lower() != "all":
+            clauses.append(f"full_log:*{target_token}*")
+    elif script in {"proposal_required", "proposal_appendix_b", "proposal_appendix_c", "wazuh_test"}:
+        clauses.append("(full_log:*soc_mvp_test=true* OR data.soc_mvp_test:true)")
+        if target_token and target_token.lower() != "all":
+            clauses.append(f"full_log:*{target_token}*")
+    else:
+        clauses.append("full_log:*soc_mvp_test=true*")
+
+    return clauses
+
+
+def _extract_wazuh_hits(payload: object) -> list[dict[str, object]]:
+    if not isinstance(payload, dict):
+        return []
+    hits_root = payload.get("hits")
+    if not isinstance(hits_root, dict):
+        return []
+    hits = hits_root.get("hits")
+    if not isinstance(hits, list):
+        return []
+    result: list[dict[str, object]] = []
+    for hit in hits:
+        if isinstance(hit, dict):
+            result.append(hit)
+    return result
+
+
+def _extract_wazuh_event_item(hit: dict[str, object], include_raw: bool) -> dict[str, object]:
+    source = hit.get("_source") if isinstance(hit.get("_source"), dict) else {}
+    source = source if isinstance(source, dict) else {}
+    agent = source.get("agent") if isinstance(source.get("agent"), dict) else {}
+    agent = agent if isinstance(agent, dict) else {}
+    decoder = source.get("decoder") if isinstance(source.get("decoder"), dict) else {}
+    decoder = decoder if isinstance(decoder, dict) else {}
+    data = source.get("data") if isinstance(source.get("data"), dict) else {}
+    data = data if isinstance(data, dict) else {}
+    rule = source.get("rule") if isinstance(source.get("rule"), dict) else {}
+    rule = rule if isinstance(rule, dict) else {}
+
+    item: dict[str, object] = {
+        "@timestamp": source.get("@timestamp") or source.get("timestamp"),
+        "event_id": data.get("event_id") or source.get("id") or hit.get("_id"),
+        "agent_name": agent.get("name"),
+        "agent_id": agent.get("id"),
+        "decoder_name": decoder.get("name"),
+        "source": data.get("source"),
+        "event_type": data.get("event_type"),
+        "severity": data.get("severity"),
+        "rule_id": rule.get("id"),
+        "rule_description": rule.get("description"),
+        "full_log": source.get("full_log"),
+    }
+    if include_raw:
+        item["raw"] = source
+    return item
+
+
+def _extract_wazuh_rule_item(hit: dict[str, object], include_raw: bool) -> dict[str, object] | None:
+    source = hit.get("_source") if isinstance(hit.get("_source"), dict) else {}
+    source = source if isinstance(source, dict) else {}
+    rule = source.get("rule") if isinstance(source.get("rule"), dict) else {}
+    rule = rule if isinstance(rule, dict) else {}
+    rule_id = rule.get("id")
+    if rule_id in {None, ""}:
+        return None
+    agent = source.get("agent") if isinstance(source.get("agent"), dict) else {}
+    agent = agent if isinstance(agent, dict) else {}
+    data = source.get("data") if isinstance(source.get("data"), dict) else {}
+    data = data if isinstance(data, dict) else {}
+
+    item: dict[str, object] = {
+        "@timestamp": source.get("@timestamp") or source.get("timestamp"),
+        "rule_id": rule_id,
+        "rule_level": rule.get("level"),
+        "rule_description": rule.get("description"),
+        "rule_firedtimes": rule.get("firedtimes"),
+        "event_id": data.get("event_id") or source.get("id") or hit.get("_id"),
+        "agent_name": agent.get("name"),
+        "full_log": source.get("full_log"),
+    }
+    if include_raw:
+        item["raw"] = source
+    return item
+
+
 @app.post(
     "/ioc/enrich",
     response_model=ApiResponse,
 
 
 @app.get(
+    "/geoip/{ip}",
+    response_model=ApiResponse,
+    summary="GeoIP lookup",
+    description="Lookup geolocation for a public IP address using configured GeoIP provider.",
+)
+async def geoip_lookup(ip: str) -> ApiResponse:
+    result = await geoip_adapter.lookup(ip)
+    return ApiResponse(data={"geoip": result})
+
+
+@app.get(
     "/sync/wazuh-version",
     response_model=ApiResponse,
     summary="Wazuh version",
     )
 
 
+@app.get(
+    "/monitor/systems",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="Systems monitor overview",
+    description="Unified monitoring snapshot for Wazuh, Shuffle, IRIS, and PagerDuty with pipeline KPIs and recent records.",
+)
+async def monitor_systems(
+    minutes: int = 60,
+    limit: int = 20,
+    include_raw: bool = False,
+) -> ApiResponse:
+    window_minutes = max(1, minutes)
+    row_limit = max(1, limit)
+    now = datetime.now(timezone.utc)
+    since = now - timedelta(minutes=window_minutes)
+    now_iso = now.isoformat()
+
+    dependencies = await mvp_service.dependency_health()
+    monitor_state = getattr(app.state, "systems_monitor_state", {"last_ok_at": {}})
+    last_ok_at_by_key = monitor_state.setdefault("last_ok_at", {})
+
+    # KPI counters from persisted database records in the selected lookback window.
+    alerts_ingested = repo.count_incident_events_since(since=since, source="wazuh")
+    detections_matched = repo.count_c_detection_events_since(since=since)
+    iris_tickets_created = repo.count_incidents_with_iris_since(since=since)
+    pagerduty_escalations_sent = repo.count_escalations_since(since=since, success=True)
+    pagerduty_escalations_failed = repo.count_escalations_since(since=since, success=False)
+
+    wazuh_recent: list[object] = []
+    wazuh_recent_error: str | None = None
+    try:
+        wazuh_resp = await wazuh_adapter.list_manager_logs(limit=row_limit, offset=0, q=None, sort=None)
+        wazuh_recent = _extract_first_array(wazuh_resp)[:row_limit]
+    except Exception as exc:
+        wazuh_recent_error = str(exc)
+
+    shuffle_recent: list[object] = []
+    shuffle_recent_error: str | None = None
+    try:
+        workflows_resp = await shuffle_adapter.list_workflows()
+        workflows = _extract_first_array(workflows_resp)
+        for item in workflows[:row_limit]:
+            if isinstance(item, dict):
+                shuffle_recent.append(
+                    {
+                        "id": item.get("id") or item.get("workflow_id"),
+                        "name": item.get("name") or item.get("workflow", {}).get("name"),
+                        "status": item.get("status"),
+                    }
+                )
+            else:
+                shuffle_recent.append(item)
+    except Exception as exc:
+        shuffle_recent_error = str(exc)
+
+    iris_recent: list[object] = []
+    iris_recent_error: str | None = None
+    try:
+        iris_resp = await iris_adapter.list_cases(limit=row_limit, offset=0)
+        iris_recent = _extract_first_array(iris_resp)[:row_limit]
+    except Exception as exc:
+        iris_recent_error = str(exc)
+
+    pagerduty_recent = repo.list_recent_escalations(limit=row_limit)
+
+    def build_card(
+        label: str,
+        dependency_key: str,
+        recent: list[object],
+        kpis: dict[str, object],
+        extra_error: str | None = None,
+    ) -> dict[str, object]:
+        dep = dependencies.get(dependency_key, {})
+        dep_status = str(dep.get("status") or "down")
+        status = "ok" if dep_status == "up" else "down"
+
+        if dep_status == "up":
+            last_ok_at_by_key[label] = now_iso
+
+        error_parts: list[str] = []
+        if dep.get("error"):
+            error_parts.append(str(dep.get("error")))
+        if extra_error:
+            error_parts.append(extra_error)
+
+        if dep_status == "up" and extra_error:
+            status = "degraded"
+
+        card: dict[str, object] = {
+            "status": status,
+            "latency_ms": dep.get("latency_ms"),
+            "last_ok_at": last_ok_at_by_key.get(label),
+            "last_error": " | ".join(error_parts) if error_parts else None,
+            "kpis": kpis,
+            "recent": recent,
+        }
+        if include_raw:
+            card["raw"] = dep.get("details")
+        return card
+
+    cards = {
+        "wazuh": build_card(
+            label="wazuh",
+            dependency_key="wazuh",
+            recent=wazuh_recent,
+            extra_error=wazuh_recent_error,
+            kpis={
+                "alerts_ingested": alerts_ingested,
+                "recent_rows": len(wazuh_recent),
+            },
+        ),
+        "shuffle": build_card(
+            label="shuffle",
+            dependency_key="shuffle",
+            recent=shuffle_recent,
+            extra_error=shuffle_recent_error,
+            kpis={
+                "recent_workflows": len(shuffle_recent),
+            },
+        ),
+        "iris": build_card(
+            label="iris",
+            dependency_key="iris",
+            recent=iris_recent,
+            extra_error=iris_recent_error,
+            kpis={
+                "tickets_created": iris_tickets_created,
+                "recent_rows": len(iris_recent),
+            },
+        ),
+        "pagerduty": build_card(
+            label="pagerduty",
+            dependency_key="pagerduty_stub",
+            recent=pagerduty_recent,
+            kpis={
+                "escalations_sent": pagerduty_escalations_sent,
+                "escalations_failed": pagerduty_escalations_failed,
+            },
+        ),
+    }
+
+    app.state.systems_monitor_state = monitor_state
+
+    return ApiResponse(
+        data={
+            "generated_at": now_iso,
+            "window_minutes": window_minutes,
+            "cards": cards,
+            "pipeline": {
+                "alerts_ingested": alerts_ingested,
+                "detections_matched": detections_matched,
+                "iris_tickets_created": iris_tickets_created,
+                "pagerduty_escalations_sent": pagerduty_escalations_sent,
+                "pagerduty_escalations_failed": pagerduty_escalations_failed,
+            },
+        }
+    )
+
+
+@app.get(
+    "/sim/logs/runs",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="List simulator runs",
+    description="List active and recent simulator script runs started from soc-integrator.",
+)
+async def sim_logs_runs() -> ApiResponse:
+    sim_runs: dict[str, dict[str, object]] = getattr(app.state, "sim_runs", {})
+    items: list[dict[str, object]] = []
+    for run_id, run in sim_runs.items():
+        serialized = _serialize_sim_run(run_id, run)
+        if (not serialized["running"]) and not run.get("stopped_at"):
+            run["stopped_at"] = datetime.now(timezone.utc).isoformat()
+            serialized["stopped_at"] = run["stopped_at"]
+        items.append(serialized)
+    items.sort(key=lambda x: str(x.get("started_at") or ""), reverse=True)
+    return ApiResponse(data={"items": items})
+
+
+@app.post(
+    "/sim/logs/start",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="Start simulator logs script",
+    description="Start a whitelisted simulator script in background and return run metadata.",
+)
+async def sim_logs_start(payload: SimLogRunRequest) -> ApiResponse:
+    script_name = SIM_SCRIPT_MAP[payload.script]
+    script_path = SIM_SCRIPTS_DIR / script_name
+    if not script_path.exists():
+        raise HTTPException(status_code=400, detail=f"Simulator script not found in container: {script_name}")
+
+    cmd = _build_sim_command(payload)
+    env = dict(os.environ)
+    env.setdefault("WAZUH_SYSLOG_HOST", "wazuh.manager")
+    env.setdefault("WAZUH_SYSLOG_PORT", "514")
+    run_id = str(uuid.uuid4())
+    log_file = SIM_RUN_LOGS_DIR / f"{run_id}.log"
+    log_handle = None
+
+    try:
+        log_handle = log_file.open("ab")
+        process = subprocess.Popen(
+            cmd,
+            cwd=str(SIM_SCRIPTS_DIR),
+            env=env,
+            stdout=log_handle,
+            stderr=subprocess.STDOUT,
+            start_new_session=True,
+        )
+    except Exception as exc:
+        if log_handle:
+            try:
+                log_handle.close()
+            except Exception:
+                pass
+        raise HTTPException(status_code=502, detail=f"Failed to start simulator: {exc}") from exc
+    finally:
+        if log_handle:
+            log_handle.close()
+    sim_runs: dict[str, dict[str, object]] = getattr(app.state, "sim_runs", {})
+    sim_runs[run_id] = {
+        "script": payload.script,
+        "target": payload.target,
+        "scenario": payload.scenario,
+        "count": payload.count,
+        "delay_seconds": payload.delay_seconds,
+        "forever": payload.forever,
+        "pid": process.pid,
+        "cmd": " ".join(shlex.quote(part) for part in cmd),
+        "started_at": datetime.now(timezone.utc).isoformat(),
+        "stopped_at": None,
+        "return_code": None,
+        "log_file": str(log_file),
+        "process": process,
+    }
+    app.state.sim_runs = sim_runs
+    return ApiResponse(data={"run": _serialize_sim_run(run_id, sim_runs[run_id])})
+
+
+@app.post(
+    "/sim/logs/stop/{run_id}",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="Stop simulator run",
+    description="Stop a running simulator script by run_id.",
+)
+async def sim_logs_stop(run_id: str) -> ApiResponse:
+    sim_runs: dict[str, dict[str, object]] = getattr(app.state, "sim_runs", {})
+    run = sim_runs.get(run_id)
+    if not run:
+        raise HTTPException(status_code=404, detail=f"Run not found: {run_id}")
+
+    process = run.get("process")
+    if process and process.poll() is None:
+        try:
+            process.terminate()
+            process.wait(timeout=3)
+        except subprocess.TimeoutExpired:
+            process.kill()
+        except Exception as exc:
+            raise HTTPException(status_code=502, detail=f"Failed to stop run: {exc}") from exc
+
+    run["stopped_at"] = datetime.now(timezone.utc).isoformat()
+    return ApiResponse(data={"run": _serialize_sim_run(run_id, run)})
+
+
+@app.post(
+    "/sim/logs/stop-running",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="Stop all running simulator runs",
+    description="Stop all currently running simulator scripts (including forever mode).",
+)
+async def sim_logs_stop_running() -> ApiResponse:
+    sim_runs: dict[str, dict[str, object]] = getattr(app.state, "sim_runs", {})
+    stopped: list[dict[str, object]] = []
+    already_stopped = 0
+
+    for run_id, run in sim_runs.items():
+        process = run.get("process")
+        if process and process.poll() is None:
+            try:
+                process.terminate()
+                process.wait(timeout=3)
+            except subprocess.TimeoutExpired:
+                process.kill()
+            except Exception as exc:
+                raise HTTPException(status_code=502, detail=f"Failed to stop run {run_id}: {exc}") from exc
+            run["stopped_at"] = datetime.now(timezone.utc).isoformat()
+            stopped.append(_serialize_sim_run(run_id, run))
+        else:
+            already_stopped += 1
+
+    return ApiResponse(
+        data={
+            "stopped_count": len(stopped),
+            "already_stopped_count": already_stopped,
+            "runs": stopped,
+        }
+    )
+
+
+@app.get(
+    "/sim/logs/output/{run_id}",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="Get simulator run output",
+    description="Return tailed output lines from simulator run log file.",
+)
+async def sim_logs_output(run_id: str, limit: int = 200) -> ApiResponse:
+    sim_runs: dict[str, dict[str, object]] = getattr(app.state, "sim_runs", {})
+    run = sim_runs.get(run_id)
+    if not run:
+        raise HTTPException(status_code=404, detail=f"Run not found: {run_id}")
+
+    log_file_path = run.get("log_file")
+    if not log_file_path:
+        raise HTTPException(status_code=404, detail=f"No log file for run: {run_id}")
+
+    log_file = Path(str(log_file_path))
+    lines = _tail_log_lines(log_file, limit=limit)
+    process = run.get("process")
+    running = bool(process and process.poll() is None)
+    return ApiResponse(
+        data={
+            "run_id": run_id,
+            "running": running,
+            "line_count": len(lines),
+            "lines": lines,
+            "text": "\n".join(lines),
+            "log_file": str(log_file),
+        }
+    )
+
+
+@app.get(
+    "/sim/logs/wazuh-latest/{run_id}",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="Get latest Wazuh logs/rules for simulator run",
+    description="Return latest Wazuh event logs and matched rules correlated to a simulator run.",
+)
+async def sim_logs_wazuh_latest(
+    run_id: str,
+    limit: int = 50,
+    minutes: int = 15,
+    include_raw: bool = False,
+) -> ApiResponse:
+    sim_runs: dict[str, dict[str, object]] = getattr(app.state, "sim_runs", {})
+    run = sim_runs.get(run_id)
+    if not run:
+        raise HTTPException(status_code=404, detail=f"Run not found: {run_id}")
+
+    requested_minutes = max(1, int(minutes))
+    # Keep query unfiltered and use a wide lookback to emulate Discover "latest records".
+    effective_minutes = max(1440, requested_minutes)
+    query_limit = max(1, min(int(limit), 200))
+    query_text = "*"
+
+    try:
+        raw = await wazuh_adapter.search_alerts(
+            query=query_text,
+            limit=query_limit,
+            minutes=effective_minutes,
+        )
+    except Exception as exc:
+        raise HTTPException(status_code=502, detail=f"Wazuh search failed: {exc}") from exc
+
+    hits = _extract_wazuh_hits(raw)
+    events = [_extract_wazuh_event_item(hit, include_raw=include_raw) for hit in hits]
+    rules: list[dict[str, object]] = []
+    for hit in hits:
+        rule_item = _extract_wazuh_rule_item(hit, include_raw=include_raw)
+        if rule_item:
+            rules.append(rule_item)
+
+    return ApiResponse(
+        data={
+            "run": _serialize_sim_run(run_id, run),
+            "query": {
+                "effective_minutes": effective_minutes,
+                "text": query_text,
+                "limit": query_limit,
+            },
+            "events": events,
+            "rules": rules,
+            "totals": {
+                "events": len(events),
+                "rules": len(rules),
+            },
+        }
+    )
+
+
 @app.post(
     "/monitor/log-loss/check",
     response_model=ApiResponse,

soc-integrator/app/models.py

     limit: int = Field(default=200, description="Maximum events fetched from Wazuh indexer.", examples=[200])
 
 
+class SimLogRunRequest(BaseModel):
+    model_config = ConfigDict(
+        json_schema_extra={
+            "example": {
+                "script": "fortigate",
+                "target": "all",
+                "scenario": "all",
+                "count": 1,
+                "delay_seconds": 0.3,
+                "forever": False,
+            }
+        }
+    )
+
+    script: Literal[
+        "fortigate",
+        "endpoint",
+        "cisco",
+        "proposal_required",
+        "proposal_appendix_b",
+        "proposal_appendix_c",
+        "wazuh_test",
+    ] = Field(description="Whitelisted simulator script key.", examples=["fortigate"])
+    target: str = Field(default="all", description="Primary selector/model/platform for the script.", examples=["all"])
+    scenario: str = Field(default="all", description="Secondary selector used by endpoint simulator.", examples=["process"])
+    count: int = Field(default=1, description="Number of iterations for non-forever mode.", examples=[1])
+    delay_seconds: float = Field(default=0.3, description="Delay between iterations.", examples=[0.3])
+    forever: bool = Field(default=False, description="Run continuously until stopped.", examples=[False])
+
+
 class ApiResponse(BaseModel):
     ok: bool = True
     message: str = "ok"

soc-integrator/app/repositories/mvp_repo.py

 
 
 class MvpRepository:
+    def count_incident_events_since(self, since: datetime, source: str | None = None) -> int:
+        with get_conn() as conn, conn.cursor() as cur:
+            if source:
+                cur.execute(
+                    """
+                    SELECT COUNT(*) AS cnt
+                    FROM incident_events
+                    WHERE created_at >= %s
+                      AND source = %s
+                    """,
+                    (since, source),
+                )
+            else:
+                cur.execute(
+                    """
+                    SELECT COUNT(*) AS cnt
+                    FROM incident_events
+                    WHERE created_at >= %s
+                    """,
+                    (since,),
+                )
+            row = cur.fetchone() or {}
+            return int(row.get("cnt", 0) or 0)
+
+    def count_incidents_with_iris_since(self, since: datetime) -> int:
+        with get_conn() as conn, conn.cursor() as cur:
+            cur.execute(
+                """
+                SELECT COUNT(*) AS cnt
+                FROM incident_index
+                WHERE first_seen >= %s
+                  AND iris_case_id IS NOT NULL
+                  AND iris_case_id <> ''
+                """,
+                (since,),
+            )
+            row = cur.fetchone() or {}
+            return int(row.get("cnt", 0) or 0)
+
+    def count_escalations_since(self, since: datetime, success: bool | None = None) -> int:
+        with get_conn() as conn, conn.cursor() as cur:
+            if success is None:
+                cur.execute(
+                    """
+                    SELECT COUNT(*) AS cnt
+                    FROM escalation_audit
+                    WHERE attempted_at >= %s
+                    """,
+                    (since,),
+                )
+            else:
+                cur.execute(
+                    """
+                    SELECT COUNT(*) AS cnt
+                    FROM escalation_audit
+                    WHERE attempted_at >= %s
+                      AND success = %s
+                    """,
+                    (since, success),
+                )
+            row = cur.fetchone() or {}
+            return int(row.get("cnt", 0) or 0)
+
+    def count_c_detection_events_since(self, since: datetime) -> int:
+        with get_conn() as conn, conn.cursor() as cur:
+            cur.execute(
+                """
+                SELECT COUNT(*) AS cnt
+                FROM c_detection_events
+                WHERE matched_at >= %s
+                """,
+                (since,),
+            )
+            row = cur.fetchone() or {}
+            return int(row.get("cnt", 0) or 0)
+
+    def list_recent_escalations(self, limit: int = 20) -> list[dict[str, Any]]:
+        with get_conn() as conn, conn.cursor() as cur:
+            cur.execute(
+                """
+                SELECT id, incident_key, attempted_at, status_code, success, response_excerpt
+                FROM escalation_audit
+                ORDER BY attempted_at DESC
+                LIMIT %s
+                """,
+                (max(1, limit),),
+            )
+            return [dict(row) for row in cur.fetchall()]
+
     def has_event(self, source: str, event_id: str) -> bool:
         with get_conn() as conn, conn.cursor() as cur:
             cur.execute(

soc-integrator/app/ui/assets/app.js

   return {
     tabs: [
       { key: "overview", label: "Overview" },
+      { key: "systems", label: "Systems" },
       { key: "monitoring", label: "Monitoring" },
       { key: "ioc", label: "IOC" },
+      { key: "geoip", label: "GeoIP" },
       { key: "iris", label: "IRIS" },
       { key: "shuffle", label: "Shuffle" },
       { key: "wazuh", label: "Wazuh" },
     ],
     activeTab: "overview",
     apiBase: window.location.origin,
-    internalApiKey: "",
+    internalApiKey: "dev-internal-key",
     errorMessage: "",
 
     overview: { health: null, autoSync: null },
+    systemsMonitor: {
+      data: null,
+      loading: false,
+      autoRefresh: true,
+      paused: false,
+      intervalSeconds: 20,
+      minutes: 60,
+      limit: 20,
+      lastRefreshAt: null,
+      timerId: null,
+    },
+    simLogs: {
+      runs: null,
+      startResult: null,
+      selectedRunId: "",
+      output: null,
+      outputLimit: 200,
+      autoRefresh: true,
+      intervalSeconds: 3,
+      timerId: null,
+      form: {
+        script: "fortigate",
+        target: "all",
+        scenario: "all",
+        count: 1,
+        delay_seconds: 0.3,
+        forever: false,
+      },
+    },
+    simWazuh: {
+      latest: null,
+      limit: 100,
+      autoRefresh: true,
+      showQuery: false,
+    },
+    systemsCardMeta: [
+      { key: "wazuh", label: "Wazuh" },
+      { key: "shuffle", label: "Shuffle" },
+      { key: "iris", label: "IRIS" },
+      { key: "pagerduty", label: "PagerDuty" },
+    ],
 
     logLoss: { result: null },
     cDetections: { state: null, evaluate: null, history: null },
 
     ioc: { enrich: null, evaluate: null, history: null, upload: null, analysis: null, fileEval: null },
+    geoip: { ip: "8.8.8.8", result: null },
     iris: { create: null, list: null },
     shuffle: { status: null, catalog: null, execute: null },
     wazuh: { status: null, list: null, sync: null },
       this.loadHealth();
       this.loadAutoSync();
       this.loadCState();
+      this.loadSystemsMonitor();
+      this.loadSimRuns();
+      this.startSimLogsAutoRefresh();
+      this.startSystemsMonitorAutoRefresh();
       this.loadOpenApiSpec();
     },
 
+    simScriptUsesScenario() {
+      return this.simLogs.form.script === "endpoint";
+    },
+
+    systemsStatusClass(status) {
+      if (status === "ok") {
+        return "status-ok";
+      }
+      if (status === "degraded") {
+        return "status-warn";
+      }
+      return "status-down";
+    },
+
+    systemsCards() {
+      const root = this.unwrapApiData(this.systemsMonitor.data) || {};
+      return root.cards || {};
+    },
+
+    systemsCard(key) {
+      const cards = this.systemsCards();
+      return cards[key] || {};
+    },
+
+    systemsRecentRows(key) {
+      const recent = this.systemsCard(key).recent;
+      if (!Array.isArray(recent)) {
+        return [];
+      }
+      return recent.map((row, index) => this.normalizeTableRow(row, index));
+    },
+
+    systemsRecentColumns(key) {
+      return this.tableColumns(this.systemsRecentRows(key));
+    },
+
+    systemsPipelineRows() {
+      const root = this.unwrapApiData(this.systemsMonitor.data) || {};
+      const pipeline = root.pipeline || {};
+      return Object.entries(pipeline).map(([key, value]) => ({ key, value: this.cellText(value) }));
+    },
+
+    systemsSetAutoRefresh(enabled) {
+      this.systemsMonitor.autoRefresh = Boolean(enabled);
+      this.startSystemsMonitorAutoRefresh();
+    },
+
+    systemsTogglePaused() {
+      this.systemsMonitor.paused = !this.systemsMonitor.paused;
+    },
+
+    systemsSetInterval(seconds) {
+      const parsed = Number(seconds || 20);
+      this.systemsMonitor.intervalSeconds = parsed > 0 ? parsed : 20;
+      this.startSystemsMonitorAutoRefresh();
+    },
+
+    stopSystemsMonitorAutoRefresh() {
+      if (this.systemsMonitor.timerId) {
+        clearInterval(this.systemsMonitor.timerId);
+        this.systemsMonitor.timerId = null;
+      }
+    },
+
+    startSystemsMonitorAutoRefresh() {
+      this.stopSystemsMonitorAutoRefresh();
+      if (!this.systemsMonitor.autoRefresh) {
+        return;
+      }
+      this.systemsMonitor.timerId = setInterval(() => {
+        if (!this.systemsMonitor.paused) {
+          this.loadSystemsMonitor();
+        }
+      }, Math.max(5, Number(this.systemsMonitor.intervalSeconds || 20)) * 1000);
+    },
+
+    async loadSystemsMonitor() {
+      try {
+        if (!this.internalApiKey) {
+          return;
+        }
+        this.systemsMonitor.loading = true;
+        const params = new URLSearchParams({
+          minutes: String(Math.max(1, Number(this.systemsMonitor.minutes || 60))),
+          limit: String(Math.max(1, Number(this.systemsMonitor.limit || 20))),
+        });
+        this.systemsMonitor.data = await this.apiCall(`/monitor/systems?${params.toString()}`, {
+          internal: true,
+        });
+        this.systemsMonitor.lastRefreshAt = new Date().toISOString();
+      } catch (err) {
+        this.setErr("Systems monitor failed", err);
+      } finally {
+        this.systemsMonitor.loading = false;
+      }
+    },
+
+    async loadSimRuns() {
+      try {
+        if (!this.internalApiKey) {
+          return;
+        }
+        this.simLogs.runs = await this.apiCall("/sim/logs/runs", { internal: true });
+        const rows = this.extractRows(this.simLogs.runs);
+        if (!this.simLogs.selectedRunId && rows.length) {
+          this.simLogs.selectedRunId = rows[0].run_id || "";
+          if (this.simLogs.selectedRunId) {
+            await this.loadSimWazuhLatest(this.simLogs.selectedRunId);
+          }
+        }
+      } catch (err) {
+        this.setErr("Load sim runs failed", err);
+      }
+    },
+
+    async startSimRun() {
+      try {
+        const payload = {
+          script: this.simLogs.form.script,
+          target: this.simLogs.form.target || "all",
+          scenario: this.simLogs.form.scenario || "all",
+          count: Number(this.simLogs.form.count || 1),
+          delay_seconds: Number(this.simLogs.form.delay_seconds || 0.3),
+          forever: Boolean(this.simLogs.form.forever),
+        };
+        this.simLogs.startResult = await this.apiCall("/sim/logs/start", {
+          method: "POST",
+          internal: true,
+          json: payload,
+        });
+        await this.loadSimRuns();
+        const started = this.unwrapApiData(this.simLogs.startResult)?.run;
+        if (started && started.run_id) {
+          this.simLogs.selectedRunId = started.run_id;
+          await this.loadSimOutput(started.run_id);
+          await this.loadSimWazuhLatest(started.run_id);
+        }
+      } catch (err) {
+        this.setErr("Start sim run failed", err);
+      }
+    },
+
+    async stopSimRun(runId) {
+      try {
+        await this.apiCall(`/sim/logs/stop/${encodeURIComponent(runId)}`, {
+          method: "POST",
+          internal: true,
+        });
+        await this.loadSimRuns();
+        if (this.simLogs.selectedRunId === runId) {
+          await this.loadSimOutput(runId);
+          await this.loadSimWazuhLatest(runId);
+        }
+      } catch (err) {
+        this.setErr("Stop sim run failed", err);
+      }
+    },
+
+    async stopRunningSimRuns() {
+      try {
+        await this.apiCall("/sim/logs/stop-running", {
+          method: "POST",
+          internal: true,
+        });
+        await this.loadSimRuns();
+        if (this.simLogs.selectedRunId) {
+          await this.loadSimOutput(this.simLogs.selectedRunId);
+          await this.loadSimWazuhLatest(this.simLogs.selectedRunId);
+        }
+      } catch (err) {
+        this.setErr("Stop running sim runs failed", err);
+      }
+    },
+
+    simRunRows() {
+      return this.extractRows(this.simLogs.runs);
+    },
+
+    selectSimRun(runId) {
+      this.simLogs.selectedRunId = runId || "";
+      this.loadSimOutput(this.simLogs.selectedRunId);
+      this.loadSimWazuhLatest(this.simLogs.selectedRunId);
+    },
+
+    simSelectedRun() {
+      const rows = this.simRunRows();
+      return rows.find((row) => row.run_id === this.simLogs.selectedRunId) || null;
+    },
+
+    stopSimLogsAutoRefresh() {
+      if (this.simLogs.timerId) {
+        clearInterval(this.simLogs.timerId);
+        this.simLogs.timerId = null;
+      }
+    },
+
+    startSimLogsAutoRefresh() {
+      this.stopSimLogsAutoRefresh();
+      if (!this.simLogs.autoRefresh) {
+        return;
+      }
+      this.simLogs.timerId = setInterval(async () => {
+        if (this.activeTab !== "systems") {
+          return;
+        }
+        try {
+          await this.loadSimRuns();
+          if (this.simLogs.selectedRunId) {
+            await this.loadSimOutput(this.simLogs.selectedRunId);
+            await this.loadSimWazuhLatest(this.simLogs.selectedRunId);
+          }
+        } catch (_err) {
+          // per-request error is already handled by each loader
+        }
+      }, 5000);
+    },
+
+    async loadSimOutput(runId = "") {
+      const selectedRunId = runId || this.simLogs.selectedRunId;
+      if (!selectedRunId) {
+        this.simLogs.output = null;
+        return;
+      }
+      try {
+        const limit = Math.max(10, Number(this.simLogs.outputLimit || 200));
+        this.simLogs.output = await this.apiCall(
+          `/sim/logs/output/${encodeURIComponent(selectedRunId)}?limit=${limit}`,
+          { internal: true },
+        );
+      } catch (err) {
+        this.setErr("Load sim output failed", err);
+      }
+    },
+
+    async loadSimWazuhLatest(runId = "") {
+      const selectedRunId = runId || this.simLogs.selectedRunId;
+      if (!selectedRunId) {
+        this.simWazuh.latest = null;
+        return;
+      }
+      try {
+        const limit = 100;
+        this.simWazuh.latest = await this.apiCall(
+          `/sim/logs/wazuh-latest/${encodeURIComponent(selectedRunId)}?limit=${limit}&minutes=1440&include_raw=true`,
+          { internal: true },
+        );
+      } catch (err) {
+        this.setErr("Load sim Wazuh latest failed", err);
+      }
+    },
+
+    simWazuhEventsRows() {
+      const root = this.unwrapApiData(this.simWazuh.latest) || {};
+      const events = Array.isArray(root.events) ? root.events : [];
+      return events.map((row, index) => this.normalizeTableRow(row, index));
+    },
+
+    simWazuhRulesRows() {
+      const root = this.unwrapApiData(this.simWazuh.latest) || {};
+      const rules = Array.isArray(root.rules) ? root.rules : [];
+      return rules.map((row, index) => this.normalizeTableRow(row, index));
+    },
+
+    simWazuhEventTableRows() {
+      return this.simWazuhEventsRows().map((row) => ({
+        time: row["@timestamp"] || row.timestamp || "",
+        rule_id: row.rule_id || row.rule?.id || "",
+        rule_description: row.rule_description || row.rule?.description || "",
+        full_log: row.full_log || "",
+      }));
+    },
+
+    parseFullLog(fullLog) {
+      const text = String(fullLog || "").trim();
+      if (!text) {
+        return {};
+      }
+      const parsed = {};
+      const regex = /([A-Za-z0-9_.-]+)=("([^"]*)"|[^\s]+)/g;
+      let match = null;
+      while ((match = regex.exec(text)) !== null) {
+        const key = match[1];
+        let value = match[3] !== undefined ? match[3] : match[2];
+        if (value === "true") {
+          value = true;
+        } else if (value === "false") {
+          value = false;
+        } else if (/^-?\d+$/.test(value)) {
+          value = Number(value);
+        } else if (/^-?\d+\.\d+$/.test(value)) {
+          value = Number(value);
+        }
+        parsed[key] = value;
+      }
+      if (Object.keys(parsed).length === 0) {
+        return { message: text };
+      }
+      return parsed;
+    },
+
+    fullLogAsJsonText(fullLog) {
+      return JSON.stringify(this.parseFullLog(fullLog), null, 2);
+    },
+
     pretty(value) {
       if (value === null || value === undefined) {
         return "No data yet";
       }
     },
 
+    unwrapApiData(payload) {
+      if (payload && typeof payload === "object" && !Array.isArray(payload) && Object.prototype.hasOwnProperty.call(payload, "data")) {
+        return payload.data;
+      }
+      return payload;
+    },
+
+    findFirstArray(node, depth = 0) {
+      if (depth > 5 || node === null || node === undefined) {
+        return null;
+      }
+      if (Array.isArray(node)) {
+        return node;
+      }
+      if (typeof node !== "object") {
+        return null;
+      }
+
+      const preferredKeys = ["items", "matches", "results", "alerts", "agents", "workflows", "apps", "rows", "data"];
+      for (const key of preferredKeys) {
+        if (Array.isArray(node[key])) {
+          return node[key];
+        }
+      }
+
+      for (const value of Object.values(node)) {
+        const found = this.findFirstArray(value, depth + 1);
+        if (found) {
+          return found;
+        }
+      }
+      return null;
+    },
+
+    normalizeTableRow(row, index) {
+      if (row && typeof row === "object" && !Array.isArray(row)) {
+        return row;
+      }
+      return { row: index + 1, value: row };
+    },
+
+    extractRows(payload) {
+      const root = this.unwrapApiData(payload);
+      const rows = this.findFirstArray(root) || [];
+      return rows.map((row, index) => this.normalizeTableRow(row, index));
+    },
+
+    tableColumns(rows) {
+      const colSet = new Set();
+      const sample = rows.slice(0, 30);
+      for (const row of sample) {
+        if (!row || typeof row !== "object" || Array.isArray(row)) {
+          continue;
+        }
+        for (const key of Object.keys(row)) {
+          if (colSet.size >= 10) {
+            break;
+          }
+          colSet.add(key);
+        }
+        if (colSet.size >= 10) {
+          break;
+        }
+      }
+      return Array.from(colSet);
+    },
+
+    cellText(value) {
+      if (value === null || value === undefined) {
+        return "";
+      }
+      if (typeof value === "string") {
+        return value;
+      }
+      if (typeof value === "number" || typeof value === "boolean") {
+        return String(value);
+      }
+      return JSON.stringify(value);
+    },
+
+    keyValueRows(payload) {
+      const root = this.unwrapApiData(payload);
+      if (!root || typeof root !== "object" || Array.isArray(root)) {
+        return [];
+      }
+      return Object.entries(root).map(([key, value]) => ({
+        key,
+        value: this.cellText(value),
+      }));
+    },
+
     providersList() {
       return (this.iocForm.providersText || "")
         .split(",")
         this.setErr("IOC history failed", err);
       }
     },
+    async lookupGeoIp() {
+      try {
+        const ip = String(this.geoip.ip || "").trim();
+        if (!ip) {
+          throw new Error("IP is required");
+        }
+        this.geoip.result = await this.apiCall(`/geoip/${encodeURIComponent(ip)}`);
+      } catch (err) {
+        this.setErr("GeoIP lookup failed", err);
+      }
+    },
     onFileSelected(event) {
       const files = event && event.target ? event.target.files : null;
       this.iocFileForm.file = files && files.length ? files[0] : null;

soc-integrator/app/ui/assets/styles.css

   background: rgb(255 247 237);
 }
 
+.status-down {
+  border-color: rgb(254 202 202);
+  color: rgb(153 27 27);
+  background: rgb(254 242 242);
+}
+
 .input-label {
   display: block;
   margin-bottom: 0.25rem;
   line-height: 1.1rem;
   color: rgb(30 41 59);
 }
+
+.table-wrap {
+  overflow: auto;
+  border: 1px solid rgb(226 232 240);
+  border-radius: 0.55rem;
+  background: white;
+  max-width: 100%;
+}
+
+.data-table {
+  width: max-content;
+  min-width: 100%;
+  border-collapse: collapse;
+  font-size: 0.72rem;
+  line-height: 1rem;
+}
+
+.data-table th,
+.data-table td {
+  border-bottom: 1px solid rgb(226 232 240);
+  text-align: left;
+  vertical-align: top;
+  padding: 0.4rem 0.5rem;
+  white-space: pre-wrap;
+  word-break: break-word;
+}
+
+.data-table th {
+  background: rgb(248 250 252);
+  font-weight: 600;
+  color: rgb(30 41 59);
+  position: sticky;
+  top: 0;
+}

soc-integrator/app/ui/index.html

     <title>SOC Integrator Admin</title>
     <script src="https://cdn.tailwindcss.com"></script>
     <script defer src="https://cdn.jsdelivr.net/npm/alpinejs@3.x.x/dist/cdn.min.js"></script>
-    <link rel="stylesheet" href="/ui/assets/styles.css?v=20260303-3" />
-    <script src="/ui/assets/app.js?v=20260303-3"></script>
+    <link rel="stylesheet" href="/ui/assets/styles.css?v=20260303-17" />
+    <script src="/ui/assets/app.js?v=20260303-17"></script>
   </head>
   <body class="bg-slate-100 text-slate-800" x-data="socUi()" x-init="init()">
-    <div class="mx-auto max-w-7xl px-3 py-4 md:px-5 md:py-6">
+    <div class="mx-auto w-full max-w-none px-3 py-4 md:px-5 md:py-6">
       <header class="admin-card mb-4">
         <div class="flex flex-col gap-3 md:flex-row md:items-center md:justify-between">
           <div>
         <strong>Error:</strong> <span x-text="errorMessage"></span>
       </section>
 
-      <div class="grid gap-4 md:grid-cols-[220px,1fr]">
+      <div class="grid gap-4 lg:grid-cols-[200px,minmax(0,1fr)]">
         <aside class="admin-card h-fit p-2">
           <nav class="flex flex-row gap-2 overflow-x-auto md:flex-col md:overflow-visible">
             <template x-for="item in tabs" :key="item.key">
           </nav>
         </aside>
 
-        <main class="space-y-4">
+        <main class="min-w-0 space-y-4">
           <section x-show="activeTab === 'overview'" x-cloak class="admin-card">
             <div class="action-row">
               <button class="btn btn-primary" @click="loadHealth()">Refresh Health</button>
               <div class="panel-block">
                 <h3 class="panel-subtitle">Health</h3>
                 <pre class="json-box" x-text="pretty(overview.health)"></pre>
+                <div class="table-wrap mt-2" x-show="keyValueRows(overview.health).length">
+                  <table class="data-table">
+                    <thead><tr><th>Field</th><th>Value</th></tr></thead>
+                    <tbody>
+                      <template x-for="row in keyValueRows(overview.health)" :key="row.key">
+                        <tr><td x-text="row.key"></td><td x-text="row.value"></td></tr>
+                      </template>
+                    </tbody>
+                  </table>
+                </div>
               </div>
               <div class="panel-block">
                 <h3 class="panel-subtitle">Auto Sync</h3>
                 <pre class="json-box" x-text="pretty(overview.autoSync)"></pre>
+                <div class="table-wrap mt-2" x-show="keyValueRows(overview.autoSync).length">
+                  <table class="data-table">
+                    <thead><tr><th>Field</th><th>Value</th></tr></thead>
+                    <tbody>
+                      <template x-for="row in keyValueRows(overview.autoSync)" :key="row.key">
+                        <tr><td x-text="row.key"></td><td x-text="row.value"></td></tr>
+                      </template>
+                    </tbody>
+                  </table>
+                </div>
               </div>
             </div>
           </section>
 
+          <section x-show="activeTab === 'systems'" x-cloak class="admin-card space-y-4">
+            <div class="panel-block">
+              <div class="mb-2 flex flex-wrap items-center gap-2">
+                <h3 class="panel-subtitle mb-0">Systems Monitor</h3>
+                <button class="btn btn-primary" @click="loadSystemsMonitor()">Refresh Now</button>
+                <button class="btn btn-ghost" @click="systemsTogglePaused()" x-text="systemsMonitor.paused ? 'Resume' : 'Pause'"></button>
+                <span class="text-xs text-slate-500" x-text="systemsMonitor.loading ? 'Loading...' : 'Idle'"></span>
+                <span class="text-xs text-slate-500" x-text="systemsMonitor.lastRefreshAt ? `Last refresh: ${systemsMonitor.lastRefreshAt}` : 'Not refreshed yet'"></span>
+              </div>
+            <div class="grid gap-3 md:grid-cols-4">
+                <label class="text-sm">
+                  <span class="input-label">Minutes</span>
+                  <input class="input" type="number" min="1" x-model.number="systemsMonitor.minutes" />
+                </label>
+                <label class="text-sm">
+                  <span class="input-label">Limit</span>
+                  <input class="input" type="number" min="1" x-model.number="systemsMonitor.limit" />
+                </label>
+                <label class="text-sm">
+                  <span class="input-label">Auto refresh</span>
+                  <select class="input" :value="systemsMonitor.autoRefresh ? 'true' : 'false'" @change="systemsSetAutoRefresh($event.target.value === 'true')">
+                    <option value="true">true</option>
+                    <option value="false">false</option>
+                  </select>
+                </label>
+                <label class="text-sm">
+                  <span class="input-label">Interval (seconds)</span>
+                  <select class="input" :value="String(systemsMonitor.intervalSeconds)" @change="systemsSetInterval($event.target.value)">
+                    <option value="10">10</option>
+                    <option value="20">20</option>
+                    <option value="30">30</option>
+                  </select>
+                </label>
+              </div>
+            </div>
+
+            <div class="panel-block">
+              <h3 class="panel-subtitle">Run Sim Logs</h3>
+              <div class="grid gap-3 md:grid-cols-3 lg:grid-cols-6">
+                <label class="text-sm">
+                  <span class="input-label">Script</span>
+                  <select class="input" x-model="simLogs.form.script">
+                    <option value="fortigate">fortigate</option>
+                    <option value="endpoint">endpoint</option>
+                    <option value="cisco">cisco</option>
+                    <option value="proposal_required">proposal_required</option>
+                    <option value="proposal_appendix_b">proposal_appendix_b</option>
+                    <option value="proposal_appendix_c">proposal_appendix_c</option>
+                    <option value="wazuh_test">wazuh_test</option>
+                  </select>
+                </label>
+                <label class="text-sm">
+                  <span class="input-label">Target</span>
+                  <input class="input" x-model="simLogs.form.target" placeholder="all" />
+                </label>
+                <label class="text-sm" x-show="simScriptUsesScenario()">
+                  <span class="input-label">Scenario</span>
+                  <input class="input" x-model="simLogs.form.scenario" placeholder="all" />
+                </label>
+                <label class="text-sm">
+                  <span class="input-label">Count</span>
+                  <input class="input" type="number" min="1" x-model.number="simLogs.form.count" />
+                </label>
+                <label class="text-sm">
+                  <span class="input-label">Delay (s)</span>
+                  <input class="input" type="number" min="0" step="0.1" x-model.number="simLogs.form.delay_seconds" />
+                </label>
+                <label class="text-sm">
+                  <span class="input-label">Forever</span>
+                  <select class="input" x-model="simLogs.form.forever">
+                    <option :value="false">false</option>
+                    <option :value="true">true</option>
+                  </select>
+                </label>
+              </div>
+              <div class="action-row mt-2">
+                <button class="btn btn-primary" @click="startSimRun()">Start</button>
+                <button class="btn btn-neutral" @click="loadSimRuns()">Refresh Runs</button>
+                <button class="btn btn-danger" @click="stopRunningSimRuns()">Stop Running</button>
+                <button class="btn btn-ghost" @click="loadSimOutput()">Refresh Logs</button>
+              </div>
+              <pre class="json-box mt-2" x-text="pretty(simLogs.startResult)"></pre>
+              <div class="table-wrap mt-2" x-show="simRunRows().length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in tableColumns(simRunRows())" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                      <th>Logs</th>
+                      <th>Action</th>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in simRunRows()" :key="idx">
+                      <tr>
+                        <template x-for="col in tableColumns(simRunRows())" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                        <td>
+                          <button class="btn btn-ghost" @click="selectSimRun(row.run_id)">View</button>
+                        </td>
+                        <td>
+                          <button class="btn btn-danger" x-show="row.running" @click="stopSimRun(row.run_id)">Stop</button>
+                        </td>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
+              <div class="mt-3 rounded-lg border border-slate-200 bg-white p-3" x-show="simLogs.selectedRunId">
+                <div class="mb-2 flex flex-wrap items-center gap-2">
+                  <h4 class="panel-mini-title mb-0">Run Output</h4>
+                  <span class="text-xs text-slate-600" x-text="`run_id: ${simLogs.selectedRunId}`"></span>
+                  <span class="status-pill" :class="simSelectedRun() && simSelectedRun().running ? 'status-ok' : 'status-warn'" x-text="simSelectedRun() && simSelectedRun().running ? 'running' : 'stopped'"></span>
+                </div>
+                <div class="grid gap-3 md:grid-cols-3">
+                  <label class="text-sm">
+                    <span class="input-label">Tail lines</span>
+                    <input class="input" type="number" min="10" max="1000" x-model.number="simLogs.outputLimit" />
+                  </label>
+                  <label class="text-sm">
+                    <span class="input-label">Auto refresh logs</span>
+                    <select class="input" x-model="simLogs.autoRefresh" @change="startSimLogsAutoRefresh()">
+                      <option :value="true">true</option>
+                      <option :value="false">false</option>
+                    </select>
+                  </label>
+                  <label class="text-sm">
+                    <span class="input-label">Interval (seconds)</span>
+                    <input class="input" type="number" min="2" max="60" x-model.number="simLogs.intervalSeconds" @change="startSimLogsAutoRefresh()" />
+                  </label>
+                </div>
+                <pre class="json-box mt-2" x-text="unwrapApiData(simLogs.output)?.text || 'No logs yet'"></pre>
+              </div>
+
+              <div class="mt-3 rounded-lg border border-slate-200 bg-white p-3" x-show="simLogs.selectedRunId">
+                <div class="mb-2 flex flex-wrap items-center gap-2">
+                  <h4 class="panel-mini-title mb-0">Wazuh Live Correlation</h4>
+                  <span class="text-xs text-slate-600" x-text="`run_id: ${simLogs.selectedRunId}`"></span>
+                  <span class="status-pill status-ok">auto refresh every 5s</span>
+                </div>
+                <div class="grid gap-3 md:grid-cols-2">
+                  <div class="text-sm">
+                    <span class="input-label">Records</span>
+                    <div class="input">Latest 100 (no filter)</div>
+                  </div>
+                  <div class="action-row mt-6">
+                    <button class="btn btn-neutral" @click="loadSimWazuhLatest()">Refresh Wazuh</button>
+                  </div>
+                </div>
+                <div class="mt-2">
+                  <label class="text-sm inline-flex items-center gap-2">
+                    <input type="checkbox" x-model="simWazuh.showQuery" />
+                    <span>Show query used</span>
+                  </label>
+                </div>
+                <pre class="json-box mt-2" x-show="simWazuh.showQuery" x-text="pretty(unwrapApiData(simWazuh.latest)?.query || null)"></pre>
+                <div class="mt-2">
+                  <div>
+                    <h5 class="panel-mini-title">Latest Event Logs</h5>
+                    <div class="table-wrap mt-2" x-show="simWazuhEventTableRows().length">
+                      <table class="data-table">
+                        <thead>
+                          <tr>
+                            <th>Time</th>
+                            <th>rule.id</th>
+                            <th>rule.description</th>
+                            <th>full_log</th>
+                          </tr>
+                        </thead>
+                        <tbody>
+                          <template x-for="(row, idx) in simWazuhEventTableRows()" :key="idx">
+                            <tr>
+                              <td x-text="cellText(row.time)"></td>
+                              <td x-text="cellText(row.rule_id)"></td>
+                              <td x-text="cellText(row.rule_description)"></td>
+                              <td><pre class="text-xs whitespace-pre-wrap" x-text="fullLogAsJsonText(row.full_log)"></pre></td>
+                            </tr>
+                          </template>
+                        </tbody>
+                      </table>
+                    </div>
+                    <div class="text-xs text-slate-500" x-show="!simWazuhEventTableRows().length">No events found for selected run yet.</div>
+                  </div>
+                </div>
+              </div>
+            </div>
+
+            <div class="grid gap-3 lg:grid-cols-4">
+              <template x-for="meta in systemsCardMeta" :key="meta.key">
+                <div class="panel-block">
+                  <div class="mb-2 flex items-center justify-between">
+                    <h4 class="panel-mini-title" x-text="meta.label"></h4>
+                    <span class="status-pill" :class="systemsStatusClass(systemsCard(meta.key).status || 'down')" x-text="systemsCard(meta.key).status || 'down'"></span>
+                  </div>
+                  <div class="text-xs text-slate-600">Latency: <span x-text="cellText(systemsCard(meta.key).latency_ms)"></span> ms</div>
+                  <div class="text-xs text-slate-600">Last OK: <span x-text="cellText(systemsCard(meta.key).last_ok_at)"></span></div>
+                  <div class="mt-1 text-xs text-rose-700" x-show="systemsCard(meta.key).last_error" x-text="`Error: ${systemsCard(meta.key).last_error}`"></div>
+                </div>
+              </template>
+            </div>
+
+            <div class="panel-block">
+              <h3 class="panel-subtitle">Incident Pipeline KPIs</h3>
+              <div class="table-wrap mt-2" x-show="systemsPipelineRows().length">
+                <table class="data-table">
+                  <thead><tr><th>KPI</th><th>Value</th></tr></thead>
+                  <tbody>
+                    <template x-for="row in systemsPipelineRows()" :key="row.key">
+                      <tr><td x-text="row.key"></td><td x-text="row.value"></td></tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
+            </div>
+
+            <div class="grid gap-3 lg:grid-cols-2">
+              <template x-for="meta in systemsCardMeta" :key="`table-${meta.key}`">
+                <div class="panel-block">
+                  <h3 class="panel-subtitle" x-text="`${meta.label} Recent Data`"></h3>
+                  <div class="table-wrap mt-2" x-show="systemsRecentRows(meta.key).length">
+                    <table class="data-table">
+                      <thead>
+                        <tr>
+                          <template x-for="col in systemsRecentColumns(meta.key)" :key="col">
+                            <th x-text="col"></th>
+                          </template>
+                        </tr>
+                      </thead>
+                      <tbody>
+                        <template x-for="(row, idx) in systemsRecentRows(meta.key)" :key="idx">
+                          <tr>
+                            <template x-for="col in systemsRecentColumns(meta.key)" :key="col">
+                              <td x-text="cellText(row[col])"></td>
+                            </template>
+                          </tr>
+                        </template>
+                      </tbody>
+                    </table>
+                  </div>
+                  <div class="text-xs text-slate-500" x-show="!systemsRecentRows(meta.key).length">No recent rows</div>
+                </div>
+              </template>
+            </div>
+          </section>
+
           <section x-show="activeTab === 'monitoring'" x-cloak class="admin-card space-y-4">
             <div class="panel-block">
               <div class="mb-2 flex flex-wrap items-center gap-2">
                 <button class="btn btn-primary" @click="runLogLossCheck()">Run Check</button>
               </div>
               <pre class="json-box mt-2" x-text="pretty(logLoss.result)"></pre>
+              <div class="table-wrap mt-2" x-show="extractRows(logLoss.result).length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in tableColumns(extractRows(logLoss.result))" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in extractRows(logLoss.result)" :key="idx">
+                      <tr>
+                        <template x-for="col in tableColumns(extractRows(logLoss.result))" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
             </div>
 
             <div class="panel-block">
                 <div><h4 class="panel-mini-title">Evaluate</h4><pre class="json-box" x-text="pretty(cDetections.evaluate)"></pre></div>
                 <div><h4 class="panel-mini-title">History</h4><pre class="json-box" x-text="pretty(cDetections.history)"></pre></div>
               </div>
+              <div class="table-wrap mt-2" x-show="extractRows(cDetections.evaluate).length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in tableColumns(extractRows(cDetections.evaluate))" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in extractRows(cDetections.evaluate)" :key="idx">
+                      <tr>
+                        <template x-for="col in tableColumns(extractRows(cDetections.evaluate))" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
+              <div class="table-wrap mt-2" x-show="extractRows(cDetections.history).length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in tableColumns(extractRows(cDetections.history))" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in extractRows(cDetections.history)" :key="idx">
+                      <tr>
+                        <template x-for="col in tableColumns(extractRows(cDetections.history))" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
             </div>
           </section>
 
                 <div><h4 class="panel-mini-title">Evaluate</h4><pre class="json-box" x-text="pretty(ioc.evaluate)"></pre></div>
                 <div><h4 class="panel-mini-title">History</h4><pre class="json-box" x-text="pretty(ioc.history)"></pre></div>
               </div>
+              <div class="table-wrap mt-2" x-show="extractRows(ioc.history).length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in tableColumns(extractRows(ioc.history))" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in extractRows(ioc.history)" :key="idx">
+                      <tr>
+                        <template x-for="col in tableColumns(extractRows(ioc.history))" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
             </div>
 
             <div class="panel-block">
                 <div><h4 class="panel-mini-title">Analysis</h4><pre class="json-box" x-text="pretty(ioc.analysis)"></pre></div>
                 <div><h4 class="panel-mini-title">Evaluate File</h4><pre class="json-box" x-text="pretty(ioc.fileEval)"></pre></div>
               </div>
+              <div class="table-wrap mt-2" x-show="extractRows(ioc.analysis).length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in tableColumns(extractRows(ioc.analysis))" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in extractRows(ioc.analysis)" :key="idx">
+                      <tr>
+                        <template x-for="col in tableColumns(extractRows(ioc.analysis))" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
+            </div>
+          </section>
+
+          <section x-show="activeTab === 'geoip'" x-cloak class="admin-card space-y-4">
+            <div class="panel-block">
+              <h3 class="panel-subtitle">GeoIP Lookup</h3>
+              <div class="grid gap-3 md:grid-cols-3">
+                <label class="text-sm md:col-span-2">
+                  <span class="input-label">IP Address</span>
+                  <input x-model="geoip.ip" class="input" placeholder="8.8.8.8" />
+                </label>
+                <div class="action-row mt-6">
+                  <button class="btn btn-primary" @click="lookupGeoIp()">Lookup</button>
+                </div>
+              </div>
+              <pre class="json-box mt-2" x-text="pretty(geoip.result)"></pre>
+              <div class="table-wrap mt-2" x-show="keyValueRows(unwrapApiData(geoip.result)?.geoip || {}).length">
+                <table class="data-table">
+                  <thead><tr><th>Field</th><th>Value</th></tr></thead>
+                  <tbody>
+                    <template x-for="row in keyValueRows(unwrapApiData(geoip.result)?.geoip || {})" :key="row.key">
+                      <tr><td x-text="row.key"></td><td x-text="row.value"></td></tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
             </div>
           </section>
 
                 <button class="btn btn-neutral" @click="loadIrisTickets()">Load</button>
               </div>
               <pre class="json-box" x-text="pretty(iris.list)"></pre>
+              <div class="table-wrap mt-2" x-show="extractRows(iris.list).length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in tableColumns(extractRows(iris.list))" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in extractRows(iris.list)" :key="idx">
+                      <tr>
+                        <template x-for="col in tableColumns(extractRows(iris.list))" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
             </div>
           </section>
 
                 <div><h4 class="panel-mini-title">Health/Auth</h4><pre class="json-box" x-text="pretty(shuffle.status)"></pre></div>
                 <div><h4 class="panel-mini-title">Apps/Workflows</h4><pre class="json-box" x-text="pretty(shuffle.catalog)"></pre></div>
               </div>
+              <div class="table-wrap mt-2" x-show="extractRows(shuffle.catalog).length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in tableColumns(extractRows(shuffle.catalog))" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in extractRows(shuffle.catalog)" :key="idx">
+                      <tr>
+                        <template x-for="col in tableColumns(extractRows(shuffle.catalog))" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
             </div>
             <div class="panel-block">
               <h3 class="panel-subtitle">Execute Workflow</h3>
               </div>
               <label class="text-sm mt-2 block"><span class="input-label">Query (alerts/logs)</span><input x-model="wazuhList.q" class="input" placeholder="optional q" /></label>
               <pre class="json-box mt-2" x-text="pretty(wazuh.list)"></pre>
+              <div class="table-wrap mt-2" x-show="extractRows(wazuh.list).length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in tableColumns(extractRows(wazuh.list))" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in extractRows(wazuh.list)" :key="idx">
+                      <tr>
+                        <template x-for="col in tableColumns(extractRows(wazuh.list))" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
             </div>
             <div class="panel-block">
               <h3 class="panel-subtitle">Sync Wazuh to MVP</h3>
               </div>
               <label class="text-sm block"><span class="input-label">Policy JSON</span><textarea x-model="mvp.policyText" rows="6" class="input code-input"></textarea></label>
               <pre class="json-box mt-2" x-text="pretty(mvp.status)"></pre>
+              <div class="table-wrap mt-2" x-show="keyValueRows(mvp.status).length">
+                <table class="data-table">
+                  <thead><tr><th>Field</th><th>Value</th></tr></thead>
+                  <tbody>
+                    <template x-for="row in keyValueRows(mvp.status)" :key="row.key">
+                      <tr><td x-text="row.key"></td><td x-text="row.value"></td></tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
             </div>
 
             <div class="panel-block">
               <label class="text-sm block mt-2"><span class="input-label">Body (JSON)</span><textarea x-model="explorer.bodyText" rows="8" class="input code-input"></textarea></label>
               <button class="btn btn-primary mt-2" @click="runExplorerRequest()">Run Request</button>
               <pre class="json-box mt-2" x-text="pretty(explorer.result)"></pre>
+              <div class="table-wrap mt-2" x-show="extractRows(explorer.result).length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in tableColumns(extractRows(explorer.result))" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in extractRows(explorer.result)" :key="idx">
+                      <tr>
+                        <template x-for="col in tableColumns(extractRows(explorer.result))" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
             </div>
           </section>
         </main>