Anpassung von Prometheus, Grafana und Backend auf Anomalieerkennung.

deploy/mariadb/init/001-schema.sql

@@ -89,14 +89,14 @@ CREATE TABLE IF NOT EXISTS detections (
 
 CREATE TABLE detection_rules (
     id BIGINT AUTO_INCREMENT PRIMARY KEY,
-    name VARCHAR(128) NOT NULL UNIQUE,
+    name VARCHAR(255) NOT NULL UNIQUE,
     description TEXT,
     severity VARCHAR(16) NOT NULL DEFAULT 'medium',
 
-    channel VARCHAR(64) NOT NULL DEFAULT 'Security',
+    channel VARCHAR(255) NOT NULL DEFAULT 'Security',
     event_ids VARCHAR(255) NOT NULL,
 
-    match_field VARCHAR(64) DEFAULT '',
+    match_field VARCHAR(255) DEFAULT '',
     match_operator VARCHAR(16) DEFAULT '',
     match_value TEXT,
 
@@ -1312,4 +1312,42 @@ ALTER TABLE detection_rules
 MODIFY description TEXT NULL,
 MODIFY match_value TEXT NULL,
 MODIFY match_field VARCHAR(64) NOT NULL DEFAULT '',
-MODIFY match_operator VARCHAR(16) NOT NULL DEFAULT '';
+MODIFY match_operator VARCHAR(16) NOT NULL DEFAULT '';
+
+
+
+CREATE TABLE baseline_event_stats (
+    id BIGINT AUTO_INCREMENT PRIMARY KEY,
+
+    hostname VARCHAR(255) NOT NULL,
+    channel_name VARCHAR(255) NOT NULL,
+    event_id INT NOT NULL,
+
+    hour_of_day TINYINT NOT NULL,
+    day_of_week TINYINT NOT NULL,
+
+    avg_count DOUBLE NOT NULL DEFAULT 0,
+    m2_count DOUBLE NOT NULL DEFAULT 0,
+    stddev_count DOUBLE NOT NULL DEFAULT 0,
+    sample_count INT NOT NULL DEFAULT 0,
+
+    last_updated TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6),
+
+    UNIQUE KEY uniq_baseline_event (
+        hostname,
+        channel_name,
+        event_id,
+        hour_of_day,
+        day_of_week
+    )
+);
+
+CREATE INDEX idx_baseline_event_lookup
+ON baseline_event_stats (
+    hostname,
+    channel_name,
+    event_id,
+    hour_of_day,
+    day_of_week,
+    sample_count
+);