diff --git a/app.db b/app.db
index 6f2614c..39b80b2 100644
Binary files a/app.db and b/app.db differ
diff --git a/app/dashboard/threat_analysis.go b/app/dashboard/threat_analysis.go
index e9a30d3..590c7b3 100644
--- a/app/dashboard/threat_analysis.go
+++ b/app/dashboard/threat_analysis.go
@@ -28,18 +28,18 @@ type ThreatRule struct {
 
 // ThreatEvent represents a detected threat event
 type ThreatEvent struct {
-	ID          int                    `json:"id"`
-	IP          string                 `json:"ip"`
-	Service     string                 `json:"service"`
-	EventType   string                 `json:"event_type"` // "brute_force", "port_scan", "suspicious_activity"
-	Severity    string                 `json:"severity"`   // "low", "medium", "high", "critical"
-	Count       int                    `json:"count"`
-	FirstSeen   time.Time              `json:"first_seen"`
-	LastSeen    time.Time              `json:"last_seen"`
-	Details     map[string]interface{} `json:"details"`
-	RuleID      *int                   `json:"rule_id,omitempty"`
-	Blocked     bool                   `json:"blocked"`
-	CreatedAt   time.Time              `json:"created_at"`
+	ID        int                    `json:"id"`
+	IP        string                 `json:"ip"`
+	Service   string                 `json:"service"`
+	EventType string                 `json:"event_type"` // "brute_force", "port_scan", "suspicious_activity"
+	Severity  string                 `json:"severity"`   // "low", "medium", "high", "critical"
+	Count     int                    `json:"count"`
+	FirstSeen time.Time              `json:"first_seen"`
+	LastSeen  time.Time              `json:"last_seen"`
+	Details   map[string]interface{} `json:"details"`
+	RuleID    *int                   `json:"rule_id,omitempty"`
+	Blocked   bool                   `json:"blocked"`
+	CreatedAt time.Time              `json:"created_at"`
 }
 
 // IPReport represents comprehensive IP analysis
@@ -143,9 +143,9 @@ func (ta *ThreatAnalyzer) insertDefaultRules() error {
 			Description: "Detect SSH brute force attempts",
 			Service:     "ssh",
 			Condition:   "auth_attempts",
-			Threshold:   10,
+			Threshold:   5,
 			TimeWindow:  60, // 1 hour
-			Action:      "block",
+			Action:      "alert",
 			Enabled:     true,
 		},
 		{
@@ -163,9 +163,9 @@ func (ta *ThreatAnalyzer) insertDefaultRules() error {
 			Description: "Detect port scanning across multiple services",
 			Service:     "*",
 			Condition:   "service_diversity",
-			Threshold:   5, // 5 different services
+			Threshold:   3,  // 3 different services
 			TimeWindow:  15, // 15 minutes
-			Action:      "block",
+			Action:      "alert",
 			Enabled:     true,
 		},
 		{
@@ -173,9 +173,9 @@ func (ta *ThreatAnalyzer) insertDefaultRules() error {
 			Description: "Detect FTP brute force attempts",
 			Service:     "ftp",
 			Condition:   "auth_attempts",
-			Threshold:   15,
+			Threshold:   5,
 			TimeWindow:  60,
-			Action:      "block",
+			Action:      "alert",
 			Enabled:     true,
 		},
 	}
@@ -206,7 +206,7 @@ func (ta *ThreatAnalyzer) ruleExists(name string) (bool, error) {
 func (ta *ThreatAnalyzer) CreateRule(rule ThreatRule) error {
 	query := `INSERT INTO threat_rules (name, description, service, condition, threshold, time_window, action, enabled)
 			  VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
-	
+
 	_, err := ta.db.Exec(query, rule.Name, rule.Description, rule.Service, rule.Condition,
 		rule.Threshold, rule.TimeWindow, rule.Action, rule.Enabled)
 	return err
@@ -216,7 +216,7 @@ func (ta *ThreatAnalyzer) CreateRule(rule ThreatRule) error {
 func (ta *ThreatAnalyzer) GetRules() ([]ThreatRule, error) {
 	query := `SELECT id, name, description, service, condition, threshold, time_window, action, enabled, created_at, updated_at
 			  FROM threat_rules ORDER BY created_at DESC`
-	
+
 	rows, err := ta.db.Query(query)
 	if err != nil {
 		return nil, err
@@ -244,11 +244,11 @@ func (ta *ThreatAnalyzer) AnalyzeIP(ip string) (*IPReport, error) {
 	// Get basic IP statistics
 	query := `SELECT total_connections, total_auth_attempts, services, threat_score, is_blocked, first_seen, last_seen, geo_location
 			  FROM ip_analysis WHERE ip = ?`
-	
+
 	var servicesJSON, geoJSON sql.NullString
 	err := ta.db.QueryRow(query, ip).Scan(&report.TotalConnections, &report.TotalAuthAttempts,
 		&servicesJSON, &report.ThreatScore, &report.IsBlocked, &report.FirstSeen, &report.LastSeen, &geoJSON)
-	
+
 	if err != nil && err != sql.ErrNoRows {
 		return nil, err
 	}
@@ -276,7 +276,7 @@ func (ta *ThreatAnalyzer) AnalyzeIP(ip string) (*IPReport, error) {
 func (ta *ThreatAnalyzer) GetThreatEventsByIP(ip string) ([]ThreatEvent, error) {
 	query := `SELECT id, ip, service, event_type, severity, count, first_seen, last_seen, details, rule_id, blocked, created_at
 			  FROM threat_events WHERE ip = ? ORDER BY last_seen DESC`
-	
+
 	rows, err := ta.db.Query(query, ip)
 	if err != nil {
 		return nil, err
@@ -314,7 +314,7 @@ func (ta *ThreatAnalyzer) GetThreatEventsByIP(ip string) ([]ThreatEvent, error)
 func (ta *ThreatAnalyzer) GetIPReports(filters map[string]interface{}) ([]IPReport, error) {
 	query := `SELECT ip, total_connections, total_auth_attempts, services, threat_score, is_blocked, first_seen, last_seen, geo_location
 			  FROM ip_analysis WHERE 1=1`
-	
+
 	var args []interface{}
 	var conditions []string
 
@@ -491,11 +491,11 @@ func (ta *ThreatAnalyzer) evaluateRule(rule ThreatRule, record LogRecord) (bool,
 // createThreatEvent creates a new threat event
 func (ta *ThreatAnalyzer) createThreatEvent(rule ThreatRule, record LogRecord) error {
 	detailsJSON, _ := json.Marshal(record.Details)
-	
+
 	// Determine event type and severity based on rule
 	eventType := "suspicious_activity"
 	severity := "medium"
-	
+
 	if strings.Contains(strings.ToLower(rule.Name), "brute") {
 		eventType = "brute_force"
 		severity = "high"
@@ -510,11 +510,11 @@ func (ta *ThreatAnalyzer) createThreatEvent(rule ThreatRule, record LogRecord) e
 			  count = count + 1,
 			  last_seen = ?,
 			  details = ?`
-	
+
 	_, err := ta.db.Exec(query, record.IP, record.Service, eventType, severity,
 		record.Timestamp, record.Timestamp, string(detailsJSON), rule.ID,
 		record.Timestamp, string(detailsJSON))
-	
+
 	// If this is a blocking rule, add to blocklist
 	if rule.Action == "block" {
 		ta.blockIP(record.IP, rule.ID)
@@ -528,11 +528,11 @@ func (ta *ThreatAnalyzer) blockIP(ip string, ruleID int) error {
 	// Update IP analysis to mark as blocked
 	query := `UPDATE ip_analysis SET is_blocked = 1 WHERE ip = ?`
 	_, err := ta.db.Exec(query, ip)
-	
+
 	// Update threat events to mark as blocked
 	query2 := `UPDATE threat_events SET blocked = 1 WHERE ip = ? AND rule_id = ?`
 	_, err2 := ta.db.Exec(query2, ip, ruleID)
-	
+
 	if err != nil {
 		return err
 	}
@@ -542,7 +542,7 @@ func (ta *ThreatAnalyzer) blockIP(ip string, ruleID int) error {
 // GetBlockedIPs returns all currently blocked IPs
 func (ta *ThreatAnalyzer) GetBlockedIPs() ([]string, error) {
 	query := `SELECT ip FROM ip_analysis WHERE is_blocked = 1 ORDER BY last_seen DESC`
-	
+
 	rows, err := ta.db.Query(query)
 	if err != nil {
 		return nil, err
@@ -565,10 +565,10 @@ func (ta *ThreatAnalyzer) GetBlockedIPs() ([]string, error) {
 func (ta *ThreatAnalyzer) UnblockIP(ip string) error {
 	query := `UPDATE ip_analysis SET is_blocked = 0 WHERE ip = ?`
 	_, err := ta.db.Exec(query, ip)
-	
+
 	query2 := `UPDATE threat_events SET blocked = 0 WHERE ip = ?`
 	_, err2 := ta.db.Exec(query2, ip)
-	
+
 	if err != nil {
 		return err
 	}