sendnrw/siem-backend
2
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

init
Some checks failed
release-tag / release-image (push) Failing after 1m39s
Details

Browse Source
This commit is contained in:
jbergner
2026-04-23 21:56:44 +02:00
parent 329faadf8f
commit 2b08d518ad
14 changed files with 2823 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
deploy/grafana/provisioning/dashboards/dashboards.yml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: 1
providers:
- name: SIEM Dashboards
orgId: 1
folder: SIEM
type: file
disableDeletion: false
editable: true
updateIntervalSeconds: 30
options:
path: /var/lib/grafana/dashboards

76
deploy/grafana/provisioning/dashboards/siem-overview.json Normal file
View File

@@ -0,0 +1,76 @@
{
"annotations": {
"list": []
},
"editable": true,
"panels": [
{
"type": "stat",
"title": "Active Agents",
"gridPos": { "h": 4, "w": 6, "x": 0, "y": 0 },
"targets": [
{
"expr": "eventcollector_active_agents",
"refId": "A"
}
]
},
{
"type": "stat",
"title": "High Detections (5m)",
"gridPos": { "h": 4, "w": 6, "x": 6, "y": 0 },
"targets": [
{
"expr": "increase(eventcollector_detection_hits_total{severity=\"high\"}[5m])",
"refId": "A"
}
]
},
{
"type": "timeseries",
"title": "HTTP Requests",
"gridPos": { "h": 8, "w": 12, "x": 0, "y": 4 },
"targets": [
{
"expr": "rate(eventcollector_http_requests_total[5m])",
"legendFormat": "{{path}} {{status}}",
"refId": "A"
}
]
},
{
"type": "timeseries",
"title": "Detection Hits",
"gridPos": { "h": 8, "w": 12, "x": 12, "y": 4 },
"targets": [
{
"expr": "increase(eventcollector_detection_hits_total[5m])",
"legendFormat": "{{rule}} {{severity}}",
"refId": "A"
}
]
},
{
"type": "timeseries",
"title": "Ingested Events",
"gridPos": { "h": 8, "w": 24, "x": 0, "y": 12 },
"targets": [
{
"expr": "rate(eventcollector_ingest_events_total[5m])",
"legendFormat": "{{channel}} {{event_id}}",
"refId": "A"
}
]
}
],
"schemaVersion": 39,
"style": "dark",
"tags": ["siem"],
"templating": { "list": [] },
"time": {
"from": "now-6h",
"to": "now"
},
"title": "SIEM Overview",
"version": 1
}

10
deploy/grafana/provisioning/datasources/datasource.yml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: 1
datasources:
- name: Prometheus
uid: prometheus
type: prometheus
access: proxy
url: http://prometheus:9090
isDefault: true
editable: true

88
deploy/mariadb/init/001-schema.sql Normal file
View File

@@ -0,0 +1,88 @@
CREATE DATABASE IF NOT EXISTS eventcollector
CHARACTER SET utf8mb4
COLLATE utf8mb4_unicode_ci;
USE eventcollector;
CREATE TABLE IF NOT EXISTS agents (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
hostname VARCHAR(255) NOT NULL,
api_key_hash CHAR(64) NOT NULL,
first_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
last_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
last_ip VARCHAR(64) NOT NULL DEFAULT '',
is_enabled TINYINT(1) NOT NULL DEFAULT 1,
PRIMARY KEY (id),
UNIQUE KEY ux_agents_hostname (hostname),
KEY ix_agents_last_seen (last_seen)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
CREATE TABLE IF NOT EXISTS event_logs (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
agent_id BIGINT UNSIGNED NOT NULL,
hostname VARCHAR(255) NOT NULL,
channel_name VARCHAR(128) NOT NULL,
event_id INT UNSIGNED NOT NULL,
source VARCHAR(255) NOT NULL,
computer VARCHAR(255) NOT NULL DEFAULT '',
provider_name VARCHAR(255) NOT NULL DEFAULT '',
level_value INT UNSIGNED NOT NULL DEFAULT 0,
task_value INT UNSIGNED NOT NULL DEFAULT 0,
opcode_value INT UNSIGNED NOT NULL DEFAULT 0,
keywords VARCHAR(255) NOT NULL DEFAULT '',
target_user VARCHAR(255) NOT NULL DEFAULT '',
target_domain VARCHAR(255) NOT NULL DEFAULT '',
subject_user VARCHAR(255) NOT NULL DEFAULT '',
subject_domain VARCHAR(255) NOT NULL DEFAULT '',
workstation VARCHAR(255) NOT NULL DEFAULT '',
src_ip VARCHAR(64) NOT NULL DEFAULT '',
src_port VARCHAR(32) NOT NULL DEFAULT '',
logon_type VARCHAR(32) NOT NULL DEFAULT '',
process_name VARCHAR(512) NOT NULL DEFAULT '',
authentication_package VARCHAR(128) NOT NULL DEFAULT '',
logon_process VARCHAR(128) NOT NULL DEFAULT '',
status_text VARCHAR(64) NOT NULL DEFAULT '',
sub_status_text VARCHAR(64) NOT NULL DEFAULT '',
failure_reason VARCHAR(512) NOT NULL DEFAULT '',
ts DATETIME(6) NOT NULL,
received_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
msg LONGTEXT NOT NULL,
msg_sha256 CHAR(64) NOT NULL,
PRIMARY KEY (id),
KEY ix_event_logs_ts (ts),
KEY ix_event_logs_received_at (received_at),
KEY ix_event_logs_agent_ts (agent_id, ts),
KEY ix_event_logs_eventid_ts (event_id, ts),
KEY ix_event_logs_hostname_ts (hostname, ts),
KEY ix_event_logs_channel_event_ts (channel_name, event_id, ts),
KEY ix_event_logs_target_user_ts (target_user, ts),
KEY ix_event_logs_src_ip_ts (src_ip, ts),
KEY ix_event_logs_target_user_src_ip_ts (target_user, src_ip, ts),
KEY ix_event_logs_eventid_srcip_ts (event_id, src_ip, ts),
KEY ix_event_logs_eventid_targetuser_ts (event_id, target_user, ts),
KEY ix_event_logs_eventid_logontype_ts (event_id, logon_type, ts),
CONSTRAINT fk_event_logs_agent
FOREIGN KEY (agent_id) REFERENCES agents(id)
ON DELETE RESTRICT
ON UPDATE RESTRICT
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
CREATE TABLE IF NOT EXISTS detections (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
rule_name VARCHAR(128) NOT NULL,
severity VARCHAR(32) NOT NULL,
hostname VARCHAR(255) NOT NULL,
channel_name VARCHAR(128) NOT NULL DEFAULT '',
event_id INT UNSIGNED NOT NULL DEFAULT 0,
score DOUBLE NOT NULL DEFAULT 0,
window_start DATETIME(6) NOT NULL,
window_end DATETIME(6) NOT NULL,
summary VARCHAR(512) NOT NULL,
details_json JSON NOT NULL,
created_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
PRIMARY KEY (id),
UNIQUE KEY ux_detection_dedupe (rule_name, hostname, channel_name, event_id, window_start, window_end),
KEY ix_detections_created (created_at),
KEY ix_detections_rule_host_time (rule_name, hostname, created_at),
KEY ix_detections_severity_time (severity, created_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

18
deploy/prometheus/prometheus.yml Normal file
View File

@@ -0,0 +1,18 @@
global:
scrape_interval: 15s
evaluation_interval: 15s
rule_files:
- /etc/prometheus/rules/*.yml
scrape_configs:
- job_name: siem-backend
metrics_path: /metrics
static_configs:
- targets:
- siem-backend:8080
- job_name: prometheus
static_configs:
- targets:
- localhost:9090

38
deploy/prometheus/rules/siem-alerts.yml Normal file
View File

@@ -0,0 +1,38 @@
groups:
- name: siem-backend
rules:
- alert: SiemBackendDown
expr: up{job="siem-backend"} == 0
for: 2m
labels:
severity: critical
annotations:
summary: "SIEM backend nicht erreichbar"
description: "Prometheus kann das SIEM-Backend seit mindestens 2 Minuten nicht scrapen."
- alert: SiemHighDetections
expr: increase(eventcollector_detection_hits_total{severity="high"}[5m]) > 0
for: 1m
labels:
severity: high
annotations:
summary: "Neue High-Severity Detection"
description: "Es wurde mindestens eine neue High-Severity-Detection in den letzten 5 Minuten erzeugt."
- alert: SiemRuleErrors
expr: increase(eventcollector_rule_errors_total[5m]) > 0
for: 1m
labels:
severity: warning
annotations:
summary: "Fehler in Detection-Regeln"
description: "Mindestens eine Detection-Regel hat in den letzten 5 Minuten einen Fehler erzeugt."
- alert: SiemTooFewActiveAgents
expr: eventcollector_active_agents < 1
for: 5m
labels:
severity: warning
annotations:
summary: "Zu wenige aktive Agents"
description: "Es wurden weniger aktive Agents erkannt als erwartet."