From b86a4844f79a1c1b029996b0414de936f744385f Mon Sep 17 00:00:00 2001
From: jbergner <jbergner@send.nrw>
Date: Sat, 25 Apr 2026 19:29:05 +0200
Subject: [PATCH] =?UTF-8?q?Gro=C3=9Fes=20Erkennungs-Update?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 deploy/mariadb/init/001-schema.sql      |  32 +-
 deploy/prometheus/rules/siem-alerts.yml |  13 +-
 main.go                                 | 822 ++++++++++++++++++++++--
 3 files changed, 793 insertions(+), 74 deletions(-)
diff --git a/deploy/mariadb/init/001-schema.sql b/deploy/mariadb/init/001-schema.sql
index ef06ea0..3d0b42e 100644
--- a/deploy/mariadb/init/001-schema.sql
+++ b/deploy/mariadb/init/001-schema.sql
@@ -1350,4 +1350,34 @@ ON baseline_event_stats (
     hour_of_day,
     day_of_week,
     sample_count
-);
\ No newline at end of file
+);
+
+ALTER TABLE detections
+ADD COLUMN status VARCHAR(32) NOT NULL DEFAULT 'open',
+ADD COLUMN analyst_note TEXT NULL,
+ADD COLUMN reviewed_by VARCHAR(128) NULL,
+ADD COLUMN reviewed_at TIMESTAMP(6) NULL,
+ADD COLUMN is_false_positive TINYINT(1) NOT NULL DEFAULT 0,
+ADD COLUMN is_legitimate TINYINT(1) NOT NULL DEFAULT 0;
+
+CREATE INDEX idx_detections_status_created
+ON detections (status, created_at);
+
+CREATE INDEX idx_detections_rule_status
+ON detections (rule_name, status);
+
+CREATE TABLE detection_suppressions (
+    id BIGINT AUTO_INCREMENT PRIMARY KEY,
+    rule_name VARCHAR(128) NOT NULL,
+    hostname VARCHAR(255) DEFAULT '',
+    channel_name VARCHAR(255) DEFAULT '',
+    event_id INT DEFAULT 0,
+    reason TEXT NULL,
+    created_by VARCHAR(128) DEFAULT '',
+    created_at TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
+    expires_at TIMESTAMP(6) NULL,
+    enabled TINYINT(1) NOT NULL DEFAULT 1
+);
+
+CREATE INDEX idx_suppressions_lookup
+ON detection_suppressions (enabled, rule_name, hostname, channel_name, event_id);
\ No newline at end of file
diff --git a/deploy/prometheus/rules/siem-alerts.yml b/deploy/prometheus/rules/siem-alerts.yml
index b6f2cee..edaeff1 100644
--- a/deploy/prometheus/rules/siem-alerts.yml
+++ b/deploy/prometheus/rules/siem-alerts.yml
@@ -28,8 +28,15 @@ groups:
           summary: "Zu wenige aktive Agents"
           description: "Es wurden weniger aktive Agents erkannt als erwartet."
 
-  - name: siem-backend-detections
-    rules:
+      - alert: SiemCriticalDetections
+        expr: increase(eventcollector_detection_hits_total{severity="critical"}[5m]) > 0
+        for: 1m
+        labels:
+          severity: critical
+        annotations:
+          summary: "Neue Critical Detection"
+          description: "Es wurde mindestens eine Critical-Detection erzeugt."
+    
       - alert: SiemHighDetections
         expr: increase(eventcollector_detection_hits_total{severity="high"}[5m]) > 0
         for: 1m
@@ -37,7 +44,7 @@ groups:
           severity: high
         annotations:
           summary: "Neue High-Severity Detection"
-          description: "Es wurde mindestens eine neue High-Severity-Detection in den letzten 5 Minuten erzeugt."
+          description: "Es wurde mindestens eine High-Severity-Detection erzeugt."
 
       - alert: SiemManyMediumDetections
         expr: sum(increase(eventcollector_detection_hits_total{severity="medium"}[15m])) > 10
diff --git a/main.go b/main.go
index b04efb7..ed85d73 100644
--- a/main.go
+++ b/main.go
@@ -37,45 +37,362 @@ const uiTemplates = `
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <title>{{.Title}}</title>
   <style>
-    body { font-family: Arial, sans-serif; margin: 0; background: #f5f7fa; color: #1f2937; }
-    header { background: #111827; color: white; padding: 14px 20px; }
-    nav a { color: #93c5fd; margin-right: 14px; text-decoration: none; }
-    main { padding: 20px; }
-    .grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(220px, 1fr)); gap: 16px; }
-    .card { background: white; border-radius: 10px; padding: 16px; box-shadow: 0 1px 4px rgba(0,0,0,.08); }
-    table { width: 100%; border-collapse: collapse; background: white; }
-    th, td { text-align: left; padding: 10px; border-bottom: 1px solid #e5e7eb; vertical-align: top; }
-    th { background: #f9fafb; }
-    .muted { color: #6b7280; }
-    .sev-high { color: #b91c1c; font-weight: bold; }
-    .sev-medium { color: #b45309; font-weight: bold; }
-    .sev-low { color: #047857; font-weight: bold; }
-    .filters { display: grid; grid-template-columns: repeat(auto-fit, minmax(180px, 1fr)); gap: 12px; margin-bottom: 16px; }
-    label { display: block; font-size: 12px; color: #374151; margin-bottom: 4px; }
-    input { width: 100%; padding: 8px; border: 1px solid #d1d5db; border-radius: 8px; box-sizing: border-box; }
-    button { padding: 10px 14px; background: #2563eb; color: white; border: 0; border-radius: 8px; cursor: pointer; }
-    pre { white-space: pre-wrap; word-break: break-word; background: #111827; color: #e5e7eb; padding: 16px; border-radius: 10px; }
-    a { color: #2563eb; text-decoration: none; }
-	.badge { display: inline-block; padding: 3px 8px; border-radius: 999px; font-size: 12px; font-weight: bold; }
-	.badge-on { background: #dcfce7; color: #166534; }
-	.badge-off { background: #fee2e2; color: #991b1b; }
-	.badge-muted { background: #e5e7eb; color: #374151; }
-	.inline-form { display: inline; }
-	button.danger { background: #dc2626; }
-	button.success { background: #16a34a; }
-	textarea, select {
-  	width: 100%;
-  	padding: 8px;
-  	border: 1px solid #d1d5db;
-  	border-radius: 8px;
-  	box-sizing: border-box;
-	}
-	.badge { display: inline-block; padding: 3px 8px; border-radius: 999px; font-size: 12px; font-weight: bold; }
-	.badge-on { background: #dcfce7; color: #166534; }
-	.badge-off { background: #fee2e2; color: #991b1b; }
-	.inline-form { display: inline; }
-	button.danger { background: #dc2626; }
-	button.success { background: #16a34a; }
+    :root {
+  --bg: #0f172a;
+  --bg-soft: #111827;
+  --panel: #ffffff;
+  --panel-soft: #f8fafc;
+  --text: #0f172a;
+  --muted: #64748b;
+  --border: #e5e7eb;
+  --primary: #2563eb;
+  --danger: #dc2626;
+  --success: #16a34a;
+  --warning: #d97706;
+  --shadow: 0 10px 30px rgba(15, 23, 42, .08);
+}
+
+* {
+  box-sizing: border-box;
+}
+
+body {
+  font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Arial, sans-serif;
+  margin: 0;
+  background: #f1f5f9;
+  color: var(--text);
+}
+
+header {
+  background: linear-gradient(135deg, #0f172a, #111827);
+  color: white;
+  padding: 18px 28px;
+  box-shadow: var(--shadow);
+  position: sticky;
+  top: 0;
+  z-index: 10;
+}
+
+header strong {
+  font-size: 18px;
+  letter-spacing: .3px;
+}
+
+nav {
+  margin-top: 12px;
+  display: flex;
+  flex-wrap: wrap;
+  gap: 10px;
+}
+
+nav a {
+  color: #dbeafe;
+  background: rgba(255,255,255,.08);
+  padding: 7px 11px;
+  border-radius: 999px;
+  text-decoration: none;
+  font-size: 14px;
+}
+
+nav a:hover {
+  background: rgba(255,255,255,.16);
+}
+
+main {
+  padding: 28px;
+  max-width: 1800px;
+  margin: 0 auto;
+}
+
+h1 {
+  margin: 0 0 8px;
+  font-size: 30px;
+}
+
+h2 {
+  margin-top: 28px;
+  font-size: 22px;
+}
+
+.muted {
+  color: var(--muted);
+}
+
+.grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(220px, 1fr));
+  gap: 16px;
+}
+
+.card {
+  background: var(--panel);
+  border: 1px solid var(--border);
+  border-radius: 18px;
+  padding: 18px;
+  box-shadow: var(--shadow);
+  overflow-wrap: anywhere;
+  word-break: break-word;
+}
+
+.card strong {
+  font-size: 24px;
+}
+
+.table-wrap {
+  width: 100%;
+  overflow-x: auto;
+  border-radius: 18px;
+  box-shadow: var(--shadow);
+  border: 1px solid var(--border);
+  background: white;
+}
+
+table {
+  width: 100%;
+  border-collapse: collapse;
+  background: white;
+  table-layout: auto;
+}
+
+th, td {
+  text-align: left;
+  padding: 11px 12px;
+  border-bottom: 1px solid var(--border);
+  vertical-align: top;
+  max-width: 520px;
+  overflow-wrap: anywhere;
+  word-break: break-word;
+}
+
+th {
+  background: var(--panel-soft);
+  color: #334155;
+  font-size: 12px;
+  text-transform: uppercase;
+  letter-spacing: .04em;
+  position: sticky;
+  top: 82px;
+  z-index: 5;
+}
+
+tr:hover td {
+  background: #f8fafc;
+}
+
+.filters {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(190px, 1fr));
+  gap: 12px;
+  margin: 18px 0;
+  background: white;
+  padding: 16px;
+  border-radius: 18px;
+  border: 1px solid var(--border);
+  box-shadow: var(--shadow);
+}
+
+.quickfilters {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 8px;
+  margin: 12px 0 18px;
+}
+
+.quickfilters a {
+  background: white;
+  border: 1px solid var(--border);
+  border-radius: 999px;
+  padding: 7px 12px;
+  box-shadow: var(--shadow);
+  font-size: 13px;
+}
+
+.checkline {
+  display: flex;
+  align-items: center;
+  gap: 6px;
+  font-size: 12px;
+  color: #475569;
+}
+
+.checkline input {
+  width: auto;
+}
+
+.quickfilters a:hover {
+  background: #eff6ff;
+}
+
+label {
+  display: block;
+  font-size: 12px;
+  color: #475569;
+  margin-bottom: 5px;
+  font-weight: 600;
+}
+
+input, select, textarea {
+  width: 100%;
+  padding: 9px 10px;
+  border: 1px solid #cbd5e1;
+  border-radius: 10px;
+  background: white;
+  color: #0f172a;
+}
+
+button {
+  padding: 9px 13px;
+  background: var(--primary);
+  color: white;
+  border: 0;
+  border-radius: 10px;
+  cursor: pointer;
+  font-weight: 600;
+}
+
+button:hover {
+  filter: brightness(.95);
+}
+
+button.danger {
+  background: var(--danger);
+}
+
+button.success {
+  background: var(--success);
+}
+
+pre {
+  white-space: pre-wrap;
+  word-break: break-word;
+  overflow-wrap: anywhere;
+  background: #020617;
+  color: #e5e7eb;
+  padding: 18px;
+  border-radius: 18px;
+  overflow-x: auto;
+}
+
+a {
+  color: var(--primary);
+  text-decoration: none;
+  font-weight: 500;
+}
+
+.badge {
+  display: inline-flex;
+  align-items: center;
+  border-radius: 999px;
+  padding: 4px 9px;
+  font-size: 12px;
+  font-weight: 700;
+  white-space: nowrap;
+}
+
+.sev-critical {
+  background: #450a0a;
+  color: #fee2e2;
+}
+
+.sev-high {
+  background: #fee2e2;
+  color: #991b1b;
+}
+
+.sev-medium {
+  background: #ffedd5;
+  color: #9a3412;
+}
+
+.sev-low {
+  background: #dcfce7;
+  color: #166534;
+}
+
+.sev-info {
+  background: #dbeafe;
+  color: #1e40af;
+}
+
+.status-open {
+  background: #e0f2fe;
+  color: #075985;
+}
+
+.status-acknowledged {
+  background: #ede9fe;
+  color: #5b21b6;
+}
+
+.status-investigating {
+  background: #fef3c7;
+  color: #92400e;
+}
+
+.status-legitimate {
+  background: #dcfce7;
+  color: #166534;
+}
+
+.status-false_positive {
+  background: #e5e7eb;
+  color: #374151;
+}
+
+.status-resolved {
+  background: #ccfbf1;
+  color: #115e59;
+}
+
+.status-suppressed {
+  background: #f3f4f6;
+  color: #4b5563;
+}
+
+.wrap {
+  overflow-wrap: anywhere;
+  word-break: break-word;
+}
+
+.mono {
+  font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
+  font-size: 13px;
+}
+
+.note {
+  margin-top: 8px;
+  color: #475569;
+  font-size: 13px;
+  padding: 8px;
+  background: #f8fafc;
+  border-left: 3px solid #94a3b8;
+  border-radius: 8px;
+}
+
+.mini-form {
+  display: grid;
+  grid-template-columns: minmax(120px, 1fr);
+  gap: 6px;
+  min-width: 220px;
+}
+
+.inline-form {
+  display: inline;
+}
+
+@media (max-width: 900px) {
+  main {
+    padding: 16px;
+  }
+
+  th {
+    position: static;
+  }
+
+  .card strong {
+    font-size: 20px;
+  }
+}
   </style>
 </head>
 <body>
@@ -110,9 +427,15 @@ const uiTemplates = `
   <div class="card"><div class="muted">Events 24h</div><div><strong>{{.Stats.Events24h}}</strong></div></div>
   <div class="card"><div class="muted">Detections 24h</div><div><strong>{{.Stats.Detections24h}}</strong></div></div>
   <div class="card"><div class="muted">High Detections 24h</div><div><strong>{{.Stats.HighDetections24h}}</strong></div></div>
+  <div class="card"><div class="muted">Open Detections</div><div><strong>{{.Stats.OpenDetections}}</strong></div></div>
+  <div class="card"><div class="muted">Investigating</div><div><strong>{{.Stats.InvestigatingDetections}}</strong></div></div>
+  <div class="card"><div class="muted">Critical 24h</div><div><strong>{{.Stats.CriticalDetections24h}}</strong></div></div>
+  <div class="card"><div class="muted">False Positive 24h</div><div><strong>{{.Stats.FalsePositive24h}}</strong></div></div>
+  <div class="card"><div class="muted">Legitim 24h</div><div><strong>{{.Stats.Legitimate24h}}</strong></div></div>
 </div>
 
 <h2>Neueste Detections</h2>
+<div class="table-wrap">
 <table>
   <tr><th>Zeit</th><th>Rule</th><th>Severity</th><th>Host</th><th>Zusammenfassung</th></tr>
   {{range .RecentDetections}}
@@ -125,8 +448,10 @@ const uiTemplates = `
   </tr>
   {{end}}
 </table>
+</div>
 
 <h2>Neueste Events</h2>
+<div class="table-wrap">
 <table>
   <tr><th>Zeit</th><th>Host</th><th>Channel</th><th>EventID</th><th>User</th><th>IP</th><th>Nachricht</th></tr>
   {{range .RecentEvents}}
@@ -141,6 +466,7 @@ const uiTemplates = `
   </tr>
   {{end}}
 </table>
+</div>
 {{template "footer" .}}
 {{end}}
 
@@ -152,24 +478,97 @@ const uiTemplates = `
     <div><label>Host</label><input name="host" value="{{index .Filters "host"}}"></div>
     <div><label>Rule</label><input name="rule" value="{{index .Filters "rule"}}"></div>
     <div><label>Severity</label><input name="severity" value="{{index .Filters "severity"}}"></div>
+	<div>
+  <label>Status</label>
+  <select name="status">
+    <option value="">alle</option>
+    <option value="open" {{if eq (index .Filters "status") "open"}}selected{{end}}>open</option>
+    <option value="acknowledged" {{if eq (index .Filters "status") "acknowledged"}}selected{{end}}>acknowledged</option>
+    <option value="investigating" {{if eq (index .Filters "status") "investigating"}}selected{{end}}>investigating</option>
+    <option value="legitimate" {{if eq (index .Filters "status") "legitimate"}}selected{{end}}>legitim</option>
+    <option value="false_positive" {{if eq (index .Filters "status") "false_positive"}}selected{{end}}>false positive</option>
+    <option value="resolved" {{if eq (index .Filters "status") "resolved"}}selected{{end}}>resolved</option>
+    <option value="suppressed" {{if eq (index .Filters "status") "suppressed"}}selected{{end}}>suppressed</option>
+  </select>
+</div>
     <div><label>Limit</label><input name="limit" value="{{index .Filters "limit"}}"></div>
   </div>
   <button type="submit">Filtern</button>
 </form>
+<div class="quickfilters">
+  <a href="/ui/detections?status=open">Open</a>
+  <a href="/ui/detections?severity=critical">Critical</a>
+  <a href="/ui/detections?severity=high">High</a>
+  <a href="/ui/detections?status=investigating">Investigating</a>
+  <a href="/ui/detections?status=false_positive">False Positives</a>
+  <a href="/ui/detections?status=legitimate">Legitim</a>
+  <a href="/ui/detections?status=resolved">Resolved</a>
+</div>
+<div class="table-wrap">
 <table>
-  <tr><th>Zeit</th><th>Rule</th><th>Severity</th><th>Host</th><th>Score</th><th>Summary</th><th>Events</th></tr>
+  <tr>
+  <th>Zeit</th>
+  <th>Rule</th>
+  <th>Severity</th>
+  <th>Status</th>
+  <th>Host</th>
+  <th>Score</th>
+  <th>Summary</th>
+  <th>Bewertung</th>
+  <th>Events</th>
+</tr>
   {{range .Detections}}
   <tr>
-    <td>{{fmtTime .CreatedAt}}</td>
-    <td>{{.RuleName}}</td>
-    <td class="sev-{{.Severity}}">{{.Severity}}</td>
-    <td>{{.Hostname}}</td>
-    <td>{{printf "%.2f" .Score}}</td>
-    <td>{{.Summary}}</td>
-    <td><a href="/ui/events?host={{q .Hostname}}&rule={{q .RuleName}}&severity={{q .Severity}}">anzeigen</a></td>
-  </tr>
+  <td>{{fmtTime .CreatedAt}}</td>
+  <td><span class="mono">{{.RuleName}}</span></td>
+  <td><span class="badge sev-{{.Severity}}">{{.Severity}}</span></td>
+  <td><span class="badge status-{{.Status}}">{{.Status}}</span></td>
+  <td>{{.Hostname}}</td>
+  <td>{{printf "%.2f" .Score}}</td>
+  <td class="wrap">
+    {{.Summary}}
+    {{if .AnalystNote}}
+      <div class="note">Notiz: {{.AnalystNote}}</div>
+    {{end}}
+  </td>
+  <td>
+    <form method="post" action="/ui/detection/update" class="mini-form">
+      <input type="hidden" name="id" value="{{.ID}}">
+      <input type="hidden" name="redirect" value="/ui/detections">
+
+      <select name="status">
+        <option value="open" {{if eq .Status "open"}}selected{{end}}>open</option>
+        <option value="acknowledged" {{if eq .Status "acknowledged"}}selected{{end}}>ack</option>
+        <option value="investigating" {{if eq .Status "investigating"}}selected{{end}}>investigating</option>
+        <option value="legitimate" {{if eq .Status "legitimate"}}selected{{end}}>legitim</option>
+        <option value="false_positive" {{if eq .Status "false_positive"}}selected{{end}}>false positive</option>
+        <option value="resolved" {{if eq .Status "resolved"}}selected{{end}}>resolved</option>
+        <option value="suppressed" {{if eq .Status "suppressed"}}selected{{end}}>suppressed</option>
+      </select>
+
+		<label class="checkline">
+			<input type="checkbox" name="create_suppression" value="1">
+			künftig unterdrücken
+		</label>
+
+		<select name="suppress_hours">
+			<option value="24">24h</option>
+			<option value="168">7 Tage</option>
+			<option value="720">30 Tage</option>
+			<option value="0">dauerhaft</option>
+		</select>
+
+      <input name="note" placeholder="Notiz" value="{{.AnalystNote}}">
+      <button type="submit">Speichern</button>
+    </form>
+  </td>
+  <td>
+    <a href="/ui/events?host={{q .Hostname}}&rule={{q .RuleName}}&severity={{q .Severity}}">anzeigen</a>
+  </td>
+</tr>
   {{end}}
 </table>
+</div>
 {{template "footer" .}}
 {{end}}
 
@@ -210,6 +609,7 @@ const uiTemplates = `
 </form>
 
 <h2>Bestehende Regeln</h2>
+<div class="table-wrap">
 <table>
   <tr>
     <th>Name</th><th>Severity</th><th>Channel</th><th>Events</th><th>Filter</th><th>Threshold</th><th>Status</th><th>Aktion</th>
@@ -244,6 +644,7 @@ const uiTemplates = `
   </tr>
   {{end}}
 </table>
+</div>
 {{template "footer" .}}
 {{end}}
 
@@ -263,6 +664,7 @@ const uiTemplates = `
   <button type="submit">Filtern</button>
 </form>
 
+<div class="table-wrap">
 <table>
   <tr>
     <th>Zeit</th>
@@ -291,6 +693,7 @@ const uiTemplates = `
   </tr>
   {{end}}
 </table>
+</div>
 {{template "footer" .}}
 {{end}}
 
@@ -312,6 +715,7 @@ const uiTemplates = `
   </div>
   <button type="submit">Filtern</button>
 </form>
+<div class="table-wrap">
 <table>
   <tr>
     <th>Zeit</th><th>Host</th><th>Channel</th><th>EventID</th><th>Target User</th><th>Subject User</th><th>IP</th><th>Workstation</th><th>Detail</th>
@@ -330,6 +734,7 @@ const uiTemplates = `
   </tr>
   {{end}}
 </table>
+</div>
 {{template "footer" .}}
 {{end}}
 
@@ -337,7 +742,7 @@ const uiTemplates = `
 {{template "header" .}}
 <h1>{{.Title}}</h1>
 <p class="muted">Stand: {{fmtTime .Now}}</p>
-
+<div class="table-wrap">
 <table>
   <tr>
     <th>Hostname</th>
@@ -385,6 +790,7 @@ const uiTemplates = `
   </tr>
   {{end}}
 </table>
+</div>
 {{template "footer" .}}
 {{end}}
 
@@ -496,6 +902,13 @@ type Detection struct {
 	Summary     string          `json:"summary"`
 	Details     json.RawMessage `json:"details_json"`
 	CreatedAt   time.Time       `json:"created_at"`
+
+	Status          string
+	AnalystNote     string
+	ReviewedBy      string
+	ReviewedAt      sql.NullTime
+	IsFalsePositive bool
+	IsLegitimate    bool
 }
 
 type ingestResponse struct {
@@ -564,6 +977,12 @@ type DashboardStats struct {
 	Events24h         int64
 	Detections24h     int64
 	HighDetections24h int64
+
+	OpenDetections          int64
+	InvestigatingDetections int64
+	CriticalDetections24h   int64
+	FalsePositive24h        int64
+	Legitimate24h           int64
 }
 
 type DashboardPageData struct {
@@ -857,6 +1276,9 @@ func main() {
 			}
 			return s[:n] + "..."
 		},
+		"eq": func(a, b string) bool {
+			return a == b
+		},
 	}).Parse(uiTemplates))
 
 	s.templates = tmpl
@@ -871,6 +1293,7 @@ func main() {
 	mux.Handle("/metrics", promhttp.HandlerFor(reg, promhttp.HandlerOpts{}))
 	mux.HandleFunc("/ui", s.handleUIIndex)
 	mux.HandleFunc("/ui/detections", s.handleUIDetections)
+	mux.HandleFunc("/ui/detection/update", s.handleUIDetectionUpdate)
 	mux.HandleFunc("/ui/events", s.handleUIEvents)
 	mux.HandleFunc("/ui/event", s.handleUIEventDetail)
 	mux.HandleFunc("/ui/agents", s.handleUIAgents)
@@ -912,6 +1335,161 @@ func main() {
 	}
 }
 
+func (s *server) handleUIDetectionUpdate(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		writeError(w, http.StatusMethodNotAllowed, "method not allowed")
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid form")
+		return
+	}
+
+	id, err := strconv.ParseUint(strings.TrimSpace(r.FormValue("id")), 10, 64)
+	if err != nil || id == 0 {
+		writeError(w, http.StatusBadRequest, "invalid id")
+		return
+	}
+
+	status := strings.TrimSpace(r.FormValue("status"))
+	note := strings.TrimSpace(r.FormValue("note"))
+	reviewedBy := strings.TrimSpace(r.FormValue("reviewed_by"))
+
+	if reviewedBy == "" {
+		reviewedBy = "ui"
+	}
+
+	switch status {
+	case "open", "acknowledged", "investigating", "legitimate", "false_positive", "resolved", "suppressed":
+	default:
+		writeError(w, http.StatusBadRequest, "invalid status")
+		return
+	}
+
+	isFalsePositive := status == "false_positive"
+	isLegitimate := status == "legitimate"
+
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	_, err = s.db.ExecContext(ctx, `
+UPDATE detections
+SET status = ?,
+    analyst_note = ?,
+    reviewed_by = ?,
+    reviewed_at = UTC_TIMESTAMP(6),
+    is_false_positive = ?,
+    is_legitimate = ?
+WHERE id = ?
+`,
+		status,
+		note,
+		reviewedBy,
+		isFalsePositive,
+		isLegitimate,
+		id,
+	)
+	if err != nil {
+		s.logger.Printf("update detection: %v", err)
+		writeError(w, http.StatusInternalServerError, "internal error")
+		return
+	}
+
+	createSuppression := strings.TrimSpace(r.FormValue("create_suppression")) == "1"
+
+	if createSuppression && (status == "false_positive" || status == "legitimate" || status == "suppressed") {
+		det, err := s.getDetectionByID(ctx, id)
+		if err != nil {
+			s.logger.Printf("get detection for suppression: %v", err)
+			writeError(w, http.StatusInternalServerError, "internal error")
+			return
+		}
+
+		hours := atoiDefault(r.FormValue("suppress_hours"), 24)
+
+		reason := note
+		if reason == "" {
+			reason = fmt.Sprintf("Suppression via UI wegen Status %s", status)
+		}
+
+		if err := s.createSuppressionFromDetection(ctx, det, reason, reviewedBy, hours); err != nil {
+			s.logger.Printf("create suppression: %v", err)
+			writeError(w, http.StatusInternalServerError, "internal error")
+			return
+		}
+	}
+
+	redirect := strings.TrimSpace(r.FormValue("redirect"))
+	if redirect == "" {
+		redirect = "/ui/detections"
+	}
+
+	http.Redirect(w, r, redirect, http.StatusSeeOther)
+}
+
+func (s *server) getDetectionByID(ctx context.Context, id uint64) (Detection, error) {
+	const q = `
+SELECT id, rule_name, severity, hostname, channel_name, event_id, score,
+       window_start, window_end, summary, details_json, created_at,
+       status,
+       COALESCE(analyst_note, ''),
+       COALESCE(reviewed_by, ''),
+       reviewed_at,
+       is_false_positive,
+       is_legitimate
+FROM detections
+WHERE id = ?
+LIMIT 1
+`
+
+	var d Detection
+	err := s.db.QueryRowContext(ctx, q, id).Scan(
+		&d.ID,
+		&d.RuleName,
+		&d.Severity,
+		&d.Hostname,
+		&d.Channel,
+		&d.EventID,
+		&d.Score,
+		&d.WindowStart,
+		&d.WindowEnd,
+		&d.Summary,
+		&d.Details,
+		&d.CreatedAt,
+		&d.Status,
+		&d.AnalystNote,
+		&d.ReviewedBy,
+		&d.ReviewedAt,
+		&d.IsFalsePositive,
+		&d.IsLegitimate,
+	)
+	return d, err
+}
+
+func (s *server) createSuppressionFromDetection(ctx context.Context, det Detection, reason, createdBy string, hours int) error {
+	var expiresAt any = nil
+	if hours > 0 {
+		expiresAt = time.Now().UTC().Add(time.Duration(hours) * time.Hour)
+	}
+
+	_, err := s.db.ExecContext(ctx, `
+INSERT INTO detection_suppressions
+(rule_name, hostname, channel_name, event_id, reason, created_by, expires_at, enabled)
+VALUES (?, ?, ?, ?, ?, ?, ?, 1)
+`,
+		det.RuleName,
+		det.Hostname,
+		det.Channel,
+		det.EventID,
+		reason,
+		createdBy,
+		expiresAt,
+	)
+
+	return err
+}
+
 func (s *server) listBaselineAnomalies(ctx context.Context, host, channel, severity string, eventID uint32, limit int) ([]BaselineAnomalyRow, error) {
 	if limit <= 0 || limit > 1000 {
 		limit = 100
@@ -1377,7 +1955,7 @@ func (s *server) handleUIIndex(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	dets, err := s.listDetections(ctx, "", "", "", 20)
+	dets, err := s.listDetections(ctx, "", "", "", "", 20)
 	if err != nil {
 		s.logger.Printf("dashboard detections: %v", err)
 		writeError(w, http.StatusInternalServerError, "internal error")
@@ -1412,6 +1990,7 @@ func (s *server) handleUIDetections(w http.ResponseWriter, r *http.Request) {
 		"host":     strings.TrimSpace(r.URL.Query().Get("host")),
 		"rule":     strings.TrimSpace(r.URL.Query().Get("rule")),
 		"severity": strings.TrimSpace(r.URL.Query().Get("severity")),
+		"status":   strings.TrimSpace(r.URL.Query().Get("status")),
 		"limit":    strings.TrimSpace(r.URL.Query().Get("limit")),
 	}
 
@@ -1425,7 +2004,7 @@ func (s *server) handleUIDetections(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
 	defer cancel()
 
-	items, err := s.listDetections(ctx, filters["host"], filters["rule"], filters["severity"], limit)
+	items, err := s.listDetections(ctx, filters["host"], filters["rule"], filters["severity"], filters["status"], limit)
 	if err != nil {
 		s.logger.Printf("ui detections: %v", err)
 		writeError(w, http.StatusInternalServerError, "internal error")
@@ -1590,6 +2169,39 @@ func (s *server) getDashboardStats(ctx context.Context) (DashboardStats, error)
 		return stats, err
 	}
 
+	if err := s.db.QueryRowContext(ctx, `
+SELECT COUNT(*) FROM detections WHERE status = 'open'
+`).Scan(&stats.OpenDetections); err != nil {
+		return stats, err
+	}
+
+	if err := s.db.QueryRowContext(ctx, `
+SELECT COUNT(*) FROM detections WHERE status = 'investigating'
+`).Scan(&stats.InvestigatingDetections); err != nil {
+		return stats, err
+	}
+
+	if err := s.db.QueryRowContext(ctx, `
+SELECT COUNT(*) FROM detections
+WHERE created_at >= ? AND severity = 'critical'
+`, time.Now().UTC().Add(-24*time.Hour)).Scan(&stats.CriticalDetections24h); err != nil {
+		return stats, err
+	}
+
+	if err := s.db.QueryRowContext(ctx, `
+SELECT COUNT(*) FROM detections
+WHERE created_at >= ? AND status = 'false_positive'
+`, time.Now().UTC().Add(-24*time.Hour)).Scan(&stats.FalsePositive24h); err != nil {
+		return stats, err
+	}
+
+	if err := s.db.QueryRowContext(ctx, `
+SELECT COUNT(*) FROM detections
+WHERE created_at >= ? AND status = 'legitimate'
+`, time.Now().UTC().Add(-24*time.Hour)).Scan(&stats.Legitimate24h); err != nil {
+		return stats, err
+	}
+
 	return stats, nil
 }
 
@@ -1923,11 +2535,11 @@ func (s *server) handleDetections(w http.ResponseWriter, r *http.Request) {
 	host := strings.TrimSpace(r.URL.Query().Get("host"))
 	rule := strings.TrimSpace(r.URL.Query().Get("rule"))
 	severity := strings.TrimSpace(r.URL.Query().Get("severity"))
-
+	status := strings.TrimSpace(r.URL.Query().Get("status"))
 	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
 	defer cancel()
 
-	items, err := s.listDetections(ctx, host, rule, severity, limit)
+	items, err := s.listDetections(ctx, host, rule, severity, status, limit)
 	if err != nil {
 		s.logger.Printf("list detections: %v", err)
 		writeError(w, http.StatusInternalServerError, "internal error")
@@ -2097,10 +2709,16 @@ INSERT INTO event_logs (
 	return nil
 }
 
-func (s *server) listDetections(ctx context.Context, host, rule, severity string, limit int) ([]Detection, error) {
+func (s *server) listDetections(ctx context.Context, host, rule, severity, status string, limit int) ([]Detection, error) {
 	base := `
 SELECT id, rule_name, severity, hostname, channel_name, event_id, score,
-       window_start, window_end, summary, details_json, created_at
+       window_start, window_end, summary, details_json, created_at,
+       status,
+       COALESCE(analyst_note, ''),
+       COALESCE(reviewed_by, ''),
+       reviewed_at,
+       is_false_positive,
+       is_legitimate
 FROM detections
 WHERE 1=1
 `
@@ -2118,6 +2736,10 @@ WHERE 1=1
 		base += " AND severity = ?"
 		args = append(args, severity)
 	}
+	if status != "" {
+		base += " AND status = ?"
+		args = append(args, status)
+	}
 
 	base += " ORDER BY created_at DESC LIMIT ?"
 	args = append(args, limit)
@@ -2132,9 +2754,24 @@ WHERE 1=1
 	for rows.Next() {
 		var d Detection
 		if err := rows.Scan(
-			&d.ID, &d.RuleName, &d.Severity, &d.Hostname, &d.Channel,
-			&d.EventID, &d.Score, &d.WindowStart, &d.WindowEnd,
-			&d.Summary, &d.Details, &d.CreatedAt,
+			&d.ID,
+			&d.RuleName,
+			&d.Severity,
+			&d.Hostname,
+			&d.Channel,
+			&d.EventID,
+			&d.Score,
+			&d.WindowStart,
+			&d.WindowEnd,
+			&d.Summary,
+			&d.Details,
+			&d.CreatedAt,
+			&d.Status,
+			&d.AnalystNote,
+			&d.ReviewedBy,
+			&d.ReviewedAt,
+			&d.IsFalsePositive,
+			&d.IsLegitimate,
 		); err != nil {
 			return nil, err
 		}
@@ -2965,10 +3602,11 @@ func (s *server) runDetectionsOnce() {
 
 func (d *detector) updateAgentMetrics(ctx context.Context) error {
 	const q = `
-SELECT hostname, UNIX_TIMESTAMP(last_seen)
+SELECT hostname, last_seen
 FROM agents
 WHERE is_enabled = 1
 `
+
 	rows, err := d.db.QueryContext(ctx, q)
 	if err != nil {
 		return err
@@ -2980,20 +3618,25 @@ WHERE is_enabled = 1
 
 	for rows.Next() {
 		var host string
-		var lastSeen sql.NullInt64
+		var lastSeen time.Time
+
 		if err := rows.Scan(&host, &lastSeen); err != nil {
 			return err
 		}
-		if lastSeen.Valid {
-			d.lastSeenGauge.WithLabelValues(host).Set(float64(lastSeen.Int64))
-			if now.Sub(time.Unix(lastSeen.Int64, 0).UTC()) <= d.cfg.OfflineAfter {
-				active++
-			}
+
+		lastSeenUTC := lastSeen.UTC()
+
+		d.lastSeenGauge.WithLabelValues(host).Set(float64(lastSeenUTC.Unix()))
+
+		if now.Sub(lastSeenUTC) <= d.cfg.OfflineAfter {
+			active++
 		}
 	}
+
 	if err := rows.Err(); err != nil {
 		return err
 	}
+
 	d.activeAgentsGauge.Set(float64(active))
 	return nil
 }
@@ -3085,7 +3728,7 @@ HAVING COUNT(*) >= ?
 		}
 
 		score := float64(count) / float64(d.cfg.FailedLogonThreshold)
-		severity := severityFromScore(score, 2.0, 5.0)
+		severity := severityFromScore(score, 1.0, 2.0, 4.0, 8.0)
 		d.anomalyScoreGauge.WithLabelValues(host, "failed_logon_spike").Set(score)
 
 		created, err := d.insertDetection(ctx, Detection{
@@ -3142,7 +3785,7 @@ HAVING COUNT(*) >= ?
 		}
 
 		score := float64(count) / float64(d.cfg.RebootThreshold)
-		severity := severityFromScore(score, 2.0, 4.0)
+		severity := severityFromScore(score, 1.0, 2.0, 4.0, 8.0)
 		d.anomalyScoreGauge.WithLabelValues(host, "reboot_spike").Set(score)
 
 		created, err := d.insertDetection(ctx, Detection{
@@ -3265,7 +3908,7 @@ HAVING COUNT(*) >= ? AND COUNT(DISTINCT target_user) >= ?
 		}
 
 		score := math.Max(float64(attempts)/float64(d.cfg.PasswordSprayMinAttempts), float64(users)/float64(d.cfg.PasswordSprayMinUsers))
-		severity := severityFromScore(score, 1.5, 3.0)
+		severity := severityFromScore(score, 1.0, 2.0, 4.0, 8.0)
 		d.anomalyScoreGauge.WithLabelValues(host, "password_spray").Set(score)
 
 		created, err := d.insertDetection(ctx, Detection{
@@ -3443,7 +4086,42 @@ GROUP BY e.hostname, e.target_user, e.src_ip
 	return rows.Err()
 }
 
+func (d *detector) isDetectionSuppressed(ctx context.Context, det Detection) (bool, error) {
+	var count int
+
+	err := d.db.QueryRowContext(ctx, `
+SELECT COUNT(*)
+FROM detection_suppressions
+WHERE enabled = 1
+  AND rule_name = ?
+  AND (hostname = '' OR hostname = ?)
+  AND (channel_name = '' OR channel_name = ?)
+  AND (event_id = 0 OR event_id = ?)
+  AND (expires_at IS NULL OR expires_at > UTC_TIMESTAMP(6))
+`,
+		det.RuleName,
+		det.Hostname,
+		det.Channel,
+		det.EventID,
+	).Scan(&count)
+
+	if err != nil {
+		return false, err
+	}
+
+	return count > 0, nil
+}
+
 func (d *detector) insertDetection(ctx context.Context, det Detection) (bool, error) {
+
+	suppressed, err := d.isDetectionSuppressed(ctx, det)
+	if err != nil {
+		return false, err
+	}
+	if suppressed {
+		return false, nil
+	}
+
 	const q = `
 INSERT IGNORE INTO detections
 (rule_name, severity, hostname, channel_name, event_id, score, window_start, window_end, summary, details_json)
@@ -3683,14 +4361,18 @@ func validatePayload(p *LogPayload) error {
 	return nil
 }
 
-func severityFromScore(score, medium, high float64) string {
+func severityFromScore(score, low, medium, high, critical float64) string {
 	switch {
+	case score >= critical:
+		return "critical"
 	case score >= high:
 		return "high"
 	case score >= medium:
 		return "medium"
-	default:
+	case score >= low:
 		return "low"
+	default:
+		return "info"
 	}
 }
 

Zeit	Rule	Severity	Host	Score	Summary	Events
Zeit	Rule	Severity	Status	Host	Score	Summary	Bewertung	Events
{{fmtTime .CreatedAt}}	{{.RuleName}}	{{.Severity}}	{{.Hostname}}	{{printf "%.2f" .Score}}	{{.Summary}}	anzeigen
{{fmtTime .CreatedAt}}	{{.RuleName}}	{{.Severity}}	{{.Status}}	{{.Hostname}}	{{printf "%.2f" .Score}}	+ {{.Summary}} + {{if .AnalystNote}} + Notiz: {{.AnalystNote}} + {{end}} +	+ + + + + + + + + künftig unterdrücken + + + + + + + +	+ anzeigen +