Großes Erkennungs-Update
All checks were successful
release-tag / release-image (push) Successful in 2m23s
All checks were successful
release-tag / release-image (push) Successful in 2m23s
This commit is contained in:
@@ -1350,4 +1350,34 @@ ON baseline_event_stats (
|
||||
hour_of_day,
|
||||
day_of_week,
|
||||
sample_count
|
||||
);
|
||||
);
|
||||
|
||||
ALTER TABLE detections
|
||||
ADD COLUMN status VARCHAR(32) NOT NULL DEFAULT 'open',
|
||||
ADD COLUMN analyst_note TEXT NULL,
|
||||
ADD COLUMN reviewed_by VARCHAR(128) NULL,
|
||||
ADD COLUMN reviewed_at TIMESTAMP(6) NULL,
|
||||
ADD COLUMN is_false_positive TINYINT(1) NOT NULL DEFAULT 0,
|
||||
ADD COLUMN is_legitimate TINYINT(1) NOT NULL DEFAULT 0;
|
||||
|
||||
CREATE INDEX idx_detections_status_created
|
||||
ON detections (status, created_at);
|
||||
|
||||
CREATE INDEX idx_detections_rule_status
|
||||
ON detections (rule_name, status);
|
||||
|
||||
CREATE TABLE detection_suppressions (
|
||||
id BIGINT AUTO_INCREMENT PRIMARY KEY,
|
||||
rule_name VARCHAR(128) NOT NULL,
|
||||
hostname VARCHAR(255) DEFAULT '',
|
||||
channel_name VARCHAR(255) DEFAULT '',
|
||||
event_id INT DEFAULT 0,
|
||||
reason TEXT NULL,
|
||||
created_by VARCHAR(128) DEFAULT '',
|
||||
created_at TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
|
||||
expires_at TIMESTAMP(6) NULL,
|
||||
enabled TINYINT(1) NOT NULL DEFAULT 1
|
||||
);
|
||||
|
||||
CREATE INDEX idx_suppressions_lookup
|
||||
ON detection_suppressions (enabled, rule_name, hostname, channel_name, event_id);
|
||||
@@ -28,8 +28,15 @@ groups:
|
||||
summary: "Zu wenige aktive Agents"
|
||||
description: "Es wurden weniger aktive Agents erkannt als erwartet."
|
||||
|
||||
- name: siem-backend-detections
|
||||
rules:
|
||||
- alert: SiemCriticalDetections
|
||||
expr: increase(eventcollector_detection_hits_total{severity="critical"}[5m]) > 0
|
||||
for: 1m
|
||||
labels:
|
||||
severity: critical
|
||||
annotations:
|
||||
summary: "Neue Critical Detection"
|
||||
description: "Es wurde mindestens eine Critical-Detection erzeugt."
|
||||
|
||||
- alert: SiemHighDetections
|
||||
expr: increase(eventcollector_detection_hits_total{severity="high"}[5m]) > 0
|
||||
for: 1m
|
||||
@@ -37,7 +44,7 @@ groups:
|
||||
severity: high
|
||||
annotations:
|
||||
summary: "Neue High-Severity Detection"
|
||||
description: "Es wurde mindestens eine neue High-Severity-Detection in den letzten 5 Minuten erzeugt."
|
||||
description: "Es wurde mindestens eine High-Severity-Detection erzeugt."
|
||||
|
||||
- alert: SiemManyMediumDetections
|
||||
expr: sum(increase(eventcollector_detection_hits_total{severity="medium"}[15m])) > 10
|
||||
|
||||
Reference in New Issue
Block a user