rockfish report
Generate a self-contained, multi-page HTML NDR report from Parquet data.
Overview
The report command produces interactive HTML dashboards with Chart.js and D3.js visualizations — no web server required. Reports include 12+ pages covering alerts, threats, DNS, TLS, flows, hosts, network topology, asset inventory, and hunt findings.
Usage
rockfish report [OPTIONS]
Report Pages
| Page | Highlights |
|---|---|
| Overview | Traffic volume, hourly charts, event counts, top talkers, protocol breakdown |
| Alerts | Severity timeline, top signatures, alerted hosts, MITRE ATT&CK mapping |
| Findings | Hunt detection results by severity and type, evidence table |
| Threats | IP reputation, beaconing, large transfers, DGA, DNS tunneling, port scans |
| DNS | Top domains, response codes (NOERROR, NXDOMAIN, SERVFAIL), DGA indicators |
| TLS | Version distribution, SNI hostnames, JA3 fingerprints, self-signed certs |
| Applications | Protocol distribution, hourly stacked charts, top HTTP hosts |
| Flows | Volume and direction, destination ports, top countries (GeoIP) |
| Hosts | Top alerted hosts, top talkers by flow count and volume |
| Network | Force-directed graph with IP/24/16 aggregation, threat and anomaly overlays |
| Inventory | Passive device discovery, device roles, OT protocol summary |
| Query | Conversational AI interface (requires rockfish chat) |
Visualization Features
- World Map — Leaflet.js with country-level flow, alert, and reputation overlays
- Network Graph — D3.js force-directed topology with Flows/Alerts/Hunt toggle layers, including anomaly (iForest/HBOS) findings overlay
- Heat-Mapped Tables — Gradient backgrounds for volume, severity, and scores
- Collapsible Tables — Expand/collapse with JSON export
- Severity Colors — Consistent palette: critical (red) through info (blue)
Options
| Option | Default | Description |
|---|---|---|
-d, --data-dir | ./output | Data directory with Parquet files |
--sensor | sensor | Sensor name subdirectory |
--hive | — | Enable hive-style partitioning |
-o, --output-dir | ./report | Output directory for HTML |
-t, --time-window | 24 hours | Time window filter |
--theme | — | YAML theme configuration |
--custom-css | — | Custom CSS file path |
--continuous | — | Regenerate on schedule |
--interval-minutes | 5 | Minutes between regenerations |
Theming
Customize report appearance with a YAML theme file:
# theme.yaml
background: "#0d1117"
surface: "#161b22"
text: "#e6edf3"
text_heading: "#ffffff"
accent: "#1a73e8"
rockfish report -d /data --sensor my-sensor --theme theme.yaml
See theme.yaml.example for all available options.
Custom Logo
Replace the default Rockfish logo with your own branding. Requires Standard or Enterprise license.
# theme.yaml
logo_path: "/path/to/your-logo.png"
| Property | Value |
|---|---|
| Formats | PNG, JPEG |
| Recommended size | 200 x 36 pixels |
| Display height | 36px (width scales proportionally) |
The logo appears in the header bar of every report page.
Demo Mode
Generate a report with synthetic data to showcase all features:
rockfish report --demo -o ./demo-report
Demo mode is available on all license tiers.
Continuous Mode
# Regenerate every 5 minutes (default)
rockfish report -d /data --sensor my-sensor --hive --continuous
# Regenerate every 15 minutes
rockfish report -d /data --sensor my-sensor --hive \
--continuous --interval-minutes 15
Examples
# 24-hour report
rockfish report -d /data/rockfish --sensor prod-01 --hive \
-o /var/www/html/ndr
# 7-day report with custom theme
rockfish report -d /data --sensor prod-01 --hive \
-t "7 days" --theme /etc/rockfish/theme.yaml
# Continuous regeneration for live dashboard
rockfish report -d /data --sensor prod-01 --hive \
--continuous --interval-minutes 10 -o /var/www/html/ndr