diff --git a/main.go b/main.go index 1c3b0f6..4b37b2d 100644 --- a/main.go +++ b/main.go @@ -5435,48 +5435,85 @@ GROUP BY e.hostname, e.target_user, e.src_ip, e.workstation newCount++ - score := 2.0 - severity := "medium" + score := 1.0 + severity := "low" if count >= 5 { score = 4.0 severity = "high" + + created, err := d.insertDetection(ctx, Detection{ + RuleName: "ueba_new_user_context", + Severity: severity, + Hostname: host, + Channel: "Security", + EventID: 4624, + Score: score, + WindowStart: windowStart, + WindowEnd: windowEnd, + Summary: fmt.Sprintf( + "UEBA: Benutzer %s meldet sich in neuem Kontext an: Host=%s IP=%s Workstation=%s", + user, + host, + srcIP, + workstation, + ), + Details: mustJSON(map[string]any{ + "user": user, + "src_ip": srcIP, + "workstation": workstation, + "host": host, + "count": count, + "first_seen": firstSeen.UTC().Format(time.RFC3339Nano), + "window": d.cfg.UEBANewContextWindow.String(), + }), + }) + if err != nil { + return err + } + + if created { + d.detectionHitsTotal.WithLabelValues("ueba_new_user_context", severity).Inc() + d.anomalyScoreGauge.WithLabelValues(host, "ueba_new_user_context").Set(score) + } + } else { + created, err := d.insertDetection(ctx, Detection{ + RuleName: "ueba_new_user_context", + Severity: severity, + Hostname: host, + Channel: "Security", + EventID: 4624, + Score: score, + Status: "plausible", + WindowStart: windowStart, + WindowEnd: windowEnd, + Summary: fmt.Sprintf( + "UEBA: Benutzer %s meldet sich in neuem Kontext an: Host=%s IP=%s Workstation=%s", + user, + host, + srcIP, + workstation, + ), + Details: mustJSON(map[string]any{ + "user": user, + "src_ip": srcIP, + "workstation": workstation, + "host": host, + "count": count, + "first_seen": firstSeen.UTC().Format(time.RFC3339Nano), + "window": d.cfg.UEBANewContextWindow.String(), + }), + }) + if err != nil { + return err + } + + if created { + d.detectionHitsTotal.WithLabelValues("ueba_new_user_context", severity).Inc() + d.anomalyScoreGauge.WithLabelValues(host, "ueba_new_user_context").Set(score) + } } - created, err := d.insertDetection(ctx, Detection{ - RuleName: "ueba_new_user_context", - Severity: severity, - Hostname: host, - Channel: "Security", - EventID: 4624, - Score: score, - WindowStart: windowStart, - WindowEnd: windowEnd, - Summary: fmt.Sprintf( - "UEBA: Benutzer %s meldet sich in neuem Kontext an: Host=%s IP=%s Workstation=%s", - user, - host, - srcIP, - workstation, - ), - Details: mustJSON(map[string]any{ - "user": user, - "src_ip": srcIP, - "workstation": workstation, - "host": host, - "count": count, - "first_seen": firstSeen.UTC().Format(time.RFC3339Nano), - "window": d.cfg.UEBANewContextWindow.String(), - }), - }) - if err != nil { - return err - } - - if created { - d.detectionHitsTotal.WithLabelValues("ueba_new_user_context", severity).Inc() - d.anomalyScoreGauge.WithLabelValues(host, "ueba_new_user_context").Set(score) - } } if err := rows.Err(); err != nil { @@ -6128,41 +6165,69 @@ GROUP BY e.hostname, e.target_user, e.src_ip continue } - score := 1.5 + math.Log10(float64(cnt)+1) + score := 1.0 + math.Log10(float64(cnt)+1) - severity := "medium" + severity := "low" if cnt >= 5 { - severity = "high" + severity = "medium" + created, err := d.insertDetection(ctx, Detection{ + RuleName: "new_source_ip_for_user", + Severity: severity, + Hostname: host, + Channel: "Security", + EventID: 4624, + Score: score, + WindowStart: windowStart, + WindowEnd: windowEnd, + Summary: fmt.Sprintf("Benutzer %s meldet sich auf %s erstmals von Quell-IP %s an", user, host, srcIP), + Details: mustJSON(map[string]any{ + "user": user, + "src_ip": srcIP, + "host": host, + "count": cnt, + "first_seen": firstSeen.UTC().Format(time.RFC3339Nano), + "window_minutes": int(d.cfg.NewSourceIPWindow.Minutes()), + "event_id": 4624, + }), + }) + if err != nil { + return err + } + if created { + d.detectionHitsTotal.WithLabelValues("new_source_ip_for_user", severity).Inc() + d.anomalyScoreGauge.WithLabelValues(host, "new_source_ip_for_user").Set(score) + } + } else { + created, err := d.insertDetection(ctx, Detection{ + RuleName: "new_source_ip_for_user", + Severity: severity, + Hostname: host, + Channel: "Security", + EventID: 4624, + Score: score, + WindowStart: windowStart, + WindowEnd: windowEnd, + Status: "plausibe", + Summary: fmt.Sprintf("Benutzer %s meldet sich auf %s erstmals von Quell-IP %s an", user, host, srcIP), + Details: mustJSON(map[string]any{ + "user": user, + "src_ip": srcIP, + "host": host, + "count": cnt, + "first_seen": firstSeen.UTC().Format(time.RFC3339Nano), + "window_minutes": int(d.cfg.NewSourceIPWindow.Minutes()), + "event_id": 4624, + }), + }) + if err != nil { + return err + } + if created { + d.detectionHitsTotal.WithLabelValues("new_source_ip_for_user", severity).Inc() + d.anomalyScoreGauge.WithLabelValues(host, "new_source_ip_for_user").Set(score) + } } - created, err := d.insertDetection(ctx, Detection{ - RuleName: "new_source_ip_for_user", - Severity: severity, - Hostname: host, - Channel: "Security", - EventID: 4624, - Score: score, - WindowStart: windowStart, - WindowEnd: windowEnd, - Summary: fmt.Sprintf("Benutzer %s meldet sich auf %s erstmals von Quell-IP %s an", user, host, srcIP), - Details: mustJSON(map[string]any{ - "user": user, - "src_ip": srcIP, - "host": host, - "count": cnt, - "first_seen": firstSeen.UTC().Format(time.RFC3339Nano), - "window_minutes": int(d.cfg.NewSourceIPWindow.Minutes()), - "event_id": 4624, - }), - }) - if err != nil { - return err - } - - if created { - d.detectionHitsTotal.WithLabelValues("new_source_ip_for_user", severity).Inc() - d.anomalyScoreGauge.WithLabelValues(host, "new_source_ip_for_user").Set(score) - } } return rows.Err()