docs overhaul with full UI instructions

docs/Advanced/automated.md

@@ -1,7 +1,7 @@
 # Automated Detection
 
 ## Important Notice ⚠️
-This section has been withdrawn from version 2.0.3 for further tuning. Please refer to the updated documentation for the latest information and guidelines regarding automated detection.
+This section has been withdrawn from version 1.2.0 for further tuning. Please refer to the updated documentation for the latest information and guidelines regarding automated detection.
 
 
 Instead of running manually you can configure Tempo to run on a schedule using the following commands. 

docs/Advanced/finetune.md

@@ -12,7 +12,8 @@ Our baseline model provides robust performance across many use cases. However, f
    - Start by testing the baseline model on a representative subset of your data using the [Evaluation function](#performance-evaluation)
    - Collect performance metrics:
      - Accuracy rate
-     - Cohen’s Kappa
+     - F1 Score
+     - Recall
 
 2. Decision Criteria for Fine-Tuning
    - Consider fine-tuning if:
@@ -50,22 +51,20 @@ You can evaluate model performance using the `CALL MODEL_OPTIMIZATION.EVALUATE_P
 CALL MODEL_OPTIMIZATION.EVALUATE_PERFORMANCE();
 ```
 
-### **Interpretation of Kappa Score:**
-| **Kappa Score (κ)** | **Level of Agreement** |
-|----------------------|------------------------|
-| < 0.0               | Poor (Worse than chance) |
-| 0.0 – 0.20          | Slight agreement        |
-| 0.21 – 0.40         | Fair agreement          |
-| 0.41 – 0.60         | Moderate agreement      |
-| 0.61 – 0.80         | Substantial agreement   |
-| 0.81 – 1.00         | Almost perfect agreement |
+You would obtain a table of performance metrics including F1 Score, Recall, and Accuracy:
+
+| Metric   | Value |
+|----------|-------|
+| Accuracy | 0.95  |
+| F1 Score | 0.92  |
+| Recall   | 0.90  |
 
 # Fine-tuning the Model
 
 If you want to increase the accuracy by tuning the model to your own network you can use the following commands.
 
 ```sql
-CALL model_optimization.tune_model();
+CALL MODEL_OPTIMIZATION.TUNE_MODEL();
 ```
 
 Purpose: Updates model based on tuning log data from the reference page as shown in the screenshot
@@ -74,7 +73,7 @@ Purpose: Updates model based on tuning log data from the reference page as shown
 
 ### Model Rollback
 ```sql
-CALL INFRA_CONTROLS.MODEL_ROLLBACK(version:int);
+CALL INFRA_CONTROLS.MODEL_ROLLBACK(int);
 ```
 Removes the specified version of the model and its metadata from the app.
 

docs/mitreclass.md

@@ -34,6 +34,14 @@ CALL THREAT_INTELLIGENCE.MITRE_TACTIC_CLASSIFICATION();
 ### Purpose  
 This procedure analyzes known anomalous logs and maps them to relevant MITRE ATT&CK tactics and techniques for deeper security insights.  
 
+### Viewing Classification Results
+
+After running the classification procedure, you can view the results by querying the output table:
+
+```sql
+SELECT * FROM TEMPO.THREAT_INTELLIGENCE.MITRE_TACTICS_MAPPINGS
+```
+
 ## Notes  
 - Ensure proper reference assigning for table access.  
 - Classification results will be available in your output table for further investigation.  

docs/onPrem.md

@@ -0,0 +1,117 @@
+# Install
+
+## Overview
+Tempo is a modern solution that leverages deep learning for network threat detection. By moving beyond conventional rule-based approaches, Tempo offers a more sophisticated and adaptable way to identify and respond to security events. Tempo is uniquely able to see attacks that others cannot, using a Deep Learning model that analyzes network and flow logs to detect various attacks, mapping them to MITRE ATT&CK for integration with your SIEM, SOC, and Threat Response systems.
+
+## Prerequisites for On-Premises Deployment
+
+To deploy Tempo on-premises, you'll need:
+- Docker installed and configured
+- Helm v3+ installed
+- Kubernetes cluster configured (kubectl access) with GPUs
+- deeptempo license key with appropriate permissions
+- zip file with the installer (provided by DeepTempo)
+
+## On-Premises Deployment Instructions
+
+1. **Prepare Environment**:
+   - For testing, you can use Minikube with GPU support:
+     ```bash
+     # Install Minikube
+     curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
+     sudo install minikube-linux-amd64 /usr/local/bin/minikube
+
+     # Start minikube with GPU support
+     minikube start --driver docker --container-runtime docker --gpus all
+     minikube addons enable nvidia-device-plugin
+     ```
+
+2. **Deploy Using Script**:
+   ```bash
+   ./deploy.sh <deeptempo_license>
+   ```
+
+3. **Exposing the Service**:
+   - If running in a test environment with Minikube:
+     ```bash
+     kubectl port-forward service/tempo-nginx 32598:80 --address 0.0.0.0 &
+     ```
+
+## Using Your Own Data
+
+1. Navigate to the **Data Sources** section from the left menu
+2. Select a data source or use demo data for quick analysis
+   - Demo data allows you to explore the platform's capabilities with sample NetFlow data (CIC netflow dataset)
+   - You can upload your network logs through the Data Sources interface or connect to an S3 bucket
+3. Ensure the data is formatted correctly for proper field identification
+4. Start the analysis process by clicking "Run Inference"
+
+## Required Data Features
+
+Your dataset must include the following features for proper analysis:
+
+| Feature | Description |
+|---------|-------------|
+| timestamp | String datetime when flow started (e.g., "2017-03-07 08:55:58") |
+| flow_dur | The duration of the flow in seconds |
+| src_ip | A unique identifier of the source device initiating the flow |
+| dest_ip | A unique identifier of the destination device receiving the flow |
+| src_port | Source port |
+| dest_port | Destination port |
+| fwd_bytes | Total number of payload bytes, sent from source to destination |
+| bwd_bytes | Total number of payload bytes, sent from destination to source |
+| total_fwd_pkts | Total number of packets sent from source to destination |
+| total_bwd_pkts | Total number of packets sent from destination to source |
+| label | Required if fine-tuning. Indicates if flow is suspicious (1) or normal (0) |
+
+These features can be exported from network monitoring tools such as NetFlow, Wireshark, Zeek, SolarWinds, or AWS/GCP Flow logs.
+
+## System Configuration
+
+Access the Settings section to configure Tempo according to your needs:
+
+### System Status
+Monitor the operational status of various components:
+- Processing Module
+- Vector Database
+- Inference Server
+
+All components should show as "Online" for proper system functionality.
+
+### Application Settings
+
+#### Analysis Filters
+Configure how Tempo processes and displays data:
+- **Ignore Unclassified MITRE Tactics**: Filter out events that couldn't be mapped to MITRE tactics
+- **Ignore Benign Network Flows**: Hide normal network activities
+- **Ignore Anomalous Flows**: Filter out anomalies (useful when focusing on specific patterns)
+
+#### Display Settings
+- **Show Timestamps**: Toggle timestamp display in results
+
+### Reset Application
+If needed, you can reset the application to its default state, clearing all loaded data and settings.
+
+**Note**: This action cannot be undone.
+
+## Troubleshooting On-Premises Deployment
+
+If you encounter issues:
+
+- **Components Showing Offline**: Check network connectivity and resource allocation
+- **No Data Appearing**: Verify data source configuration and format
+- **Analysis Not Working**: Ensure all prerequisites are installed and properly configured
+- **Performance Issues**: Check system resources, particularly GPU availability for on-premises deployments
+
+For some useful commands:
+1. Verify Docker credentials: `docker login ghcr.io -u <username>`
+2. Check Kubernetes connection: `kubectl get nodes`
+3. Review Helm release status: `helm status tempo -n default`
+4. Check pod status: `kubectl get pods -n default`
+5. View pod logs: `kubectl logs <pod-name> -n default`
+
+## Additional Resources
+
+For more information and assistance:
+- **MITRE ATT&CK Framework**: [attack.mitre.org](https://attack.mitre.org/)
+- **Support**: [support@deeptempo.ai](mailto:support@deeptempo.ai)

docs/onPremUse.md

@@ -0,0 +1,86 @@
+# Guide
+
+## Overview
+Forensichat is a cybersecurity analysis platform integrated within Tempo that helps security analysts investigate network traffic and identify potential threats. It leverages deep learning technology to analyze patterns and anomalies in network data, providing deeper insights than traditional rule-based systems.
+
+![Forensichat Home Interface](./assets/forensichatHome-onprem.png)
+
+## Prerequisites
+You will also need to run the inference as shown here in order for there to be any data to analyze.
+
+## 1. Accessing the UI
+
+To access and use Tempo, follow these steps:
+
+1. Navigate to the Tempo app URL. This would have been configured by you during install.
+2. The Tempo interface will load, showing the available features and options.
+
+
+## 2. Running inference:
+
+- Select your data source from the data sources tab and follow the steps in the UI to add your data source. 
+- Once the data source is added run the inference step to proccess it. 
+
+
+![alt text](assets/ForensichatExecConsole-onprem.png)
+
+
+**Monitor Status**  
+   - Watch the status indicator above the button:  
+     - ⏳ *Running* (auto-polls every 5 s)  
+     - ✅ *Completed*  
+     - ❌ *Failed*
+
+**View Results**  
+   - Once completed, you can view the resuts in the *Threat Overview*  and *Deep Investigation* tabs.
+
+## 3. Using the Forensic Analysis Assistant
+
+The Forensic Analysis Assistant allows you to perform natural language queries against your network data:
+This feature enables security analysts to ask questions about network behavior and potential security incidents in natural language, making advanced forensic analysis more accessible.
+
+![Forensic Analysis Assistant](./assets/ForensicQuery-onprem.png)
+
+To create a new analysis query:
+
+1. Click the **New Query** button in the Forensic Analysis Assistant interface.
+2. Enter your question in natural language (e.g., "What suspicious activities occurred between 192.168.1.10 and external IPs last week?").
+3. Click **Analyze Query** to process your request.
+
+`Sample Query: Show me top 10 similar events sequence id 982b5a35-d289-46f7-8adb-6aea0936b1c2`
+
+## 4. Available Features
+
+Forensichat includes several built-in capabilities:
+
+1. **MITRE ATT&CK Framework Analysis**: Categorize threats according to industry standards, mapping detected anomalies to known adversarial tactics and techniques.
+
+2. **Network Traffic Visualization**: Monitor traffic patterns over time to identify unusual activity that may indicate a security incident.
+
+3. **Threat Overview**: Get a high-level view of potential security incidents, showing metrics like:
+   - Unique IP Connections
+   - Total Network Events
+   - Potential Anomalies
+   - MITRE ATT&CK Framework Distribution
+
+   ![Threat Overview](./assets/threatoverview-onprem.png)
+
+4. **Deep Investigation**: Perform detailed forensic analysis on specific connections that have been flagged as suspicious.
+
+   ![Deep Dive Analysis](./assets/DeepDive-onprem.png)
+
+
+## 5. Settings and Filters
+The Tempo application provides customizable filtering and display options to tailor forensic investigations to specific analytical needs.
+
+![App Settings](./assets/ForensicSettings-onprem.png)
+
+The following toggles allow users to control which types of events or flows are shown in the visualization and downstream analyses:
+
+| Toggle | Description |
+|--------|-------------|
+| **Ignore Unclassified MITRE Tactics** | Hides events that could not be mapped to any MITRE ATT&CK tactic, enabling users to concentrate on recognized adversarial behavior patterns. |
+| **Ignore Benign Network Flows** | Excludes network flows flagged as benign or normal, reducing noise in the data and helping to isolate potentially suspicious traffic. |
+| **Ignore Anomalous Flows** | Removes network flows labeled as anomalous. This can be useful when users want to focus only on confirmed patterns or known behavior baselines. |
+
+