From c563367978ae8d1c459f24fe7dfbab36f7b9f15f Mon Sep 17 00:00:00 2001
From: jbergner <jbergner@send.nrw>
Date: Sat, 25 Apr 2026 21:32:19 +0200
Subject: [PATCH] =?UTF-8?q?Anpassungen=20f=C3=BCr=20echte=20Incidents,=20d?=
 =?UTF-8?q?amit=20diese=20w=C3=A4hrend=20der=20Lernphase=20nicht=20in=20da?=
 =?UTF-8?q?s=20dauerhafte=20Trainings-Set=20aufgenommen=20werden.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 deploy/mariadb/init/001-schema.sql |  17 ++-
 main.go                            | 161 ++++++++++++++++++++++++++++-
 2 files changed, 176 insertions(+), 2 deletions(-)

diff --git a/deploy/mariadb/init/001-schema.sql b/deploy/mariadb/init/001-schema.sql
index 3d0b42e..4c1cccb 100644
--- a/deploy/mariadb/init/001-schema.sql
+++ b/deploy/mariadb/init/001-schema.sql
@@ -1380,4 +1380,19 @@ CREATE TABLE detection_suppressions (
 );
 
 CREATE INDEX idx_suppressions_lookup
-ON detection_suppressions (enabled, rule_name, hostname, channel_name, event_id);
\ No newline at end of file
+ON detection_suppressions (enabled, rule_name, hostname, channel_name, event_id);
+
+CREATE TABLE baseline_exclusions (
+    id BIGINT AUTO_INCREMENT PRIMARY KEY,
+    hostname VARCHAR(255) NOT NULL DEFAULT '',
+    channel_name VARCHAR(255) NOT NULL DEFAULT '',
+    event_id INT NOT NULL DEFAULT 0,
+    reason TEXT NULL,
+    created_by VARCHAR(128) NOT NULL DEFAULT '',
+    created_at TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
+    expires_at TIMESTAMP(6) NULL,
+    enabled TINYINT(1) NOT NULL DEFAULT 1
+);
+
+CREATE INDEX idx_baseline_exclusions_lookup
+ON baseline_exclusions (enabled, hostname, channel_name, event_id, expires_at);
\ No newline at end of file
diff --git a/main.go b/main.go
index 0898cb4..1c7bb6d 100644
--- a/main.go
+++ b/main.go
@@ -488,6 +488,7 @@ a {
     <option value="false_positive" {{if eq (index .Filters "status") "false_positive"}}selected{{end}}>false positive</option>
     <option value="resolved" {{if eq (index .Filters "status") "resolved"}}selected{{end}}>resolved</option>
     <option value="suppressed" {{if eq (index .Filters "status") "suppressed"}}selected{{end}}>suppressed</option>
+	<option value="confirmed_incident" {{if eq (index .Filters "status") "confirmed_incident"}}selected{{end}}>confirmed incident</option>
   </select>
 </div>
     <div><label>Limit</label><input name="limit" value="{{index .Filters "limit"}}"></div>
@@ -502,6 +503,7 @@ a {
   <a href="/ui/detections?status=false_positive">False Positives</a>
   <a href="/ui/detections?status=legitimate">Legitim</a>
   <a href="/ui/detections?status=resolved">Resolved</a>
+  <a href="/ui/detections?status=confirmed_incident">Confirmed Incidents</a>
 </div>
 <div class="table-wrap">
 <table>
@@ -543,6 +545,7 @@ a {
         <option value="false_positive" {{if eq .Status "false_positive"}}selected{{end}}>false positive</option>
         <option value="resolved" {{if eq .Status "resolved"}}selected{{end}}>resolved</option>
         <option value="suppressed" {{if eq .Status "suppressed"}}selected{{end}}>suppressed</option>
+		<option value="confirmed_incident" {{if eq (index .Filters "status") "confirmed_incident"}}selected{{end}}>confirmed incident</option>
       </select>
 
 		<label class="checkline">
@@ -557,6 +560,15 @@ a {
 			<option value="0">dauerhaft</option>
 		</select>
 
+		<label>Baseline</label>
+		<select name="baseline_action">
+			<option value="">keine Änderung</option>
+			<option value="exclude_24h">nicht lernen: 24h</option>
+			<option value="exclude_7d">nicht lernen: 7 Tage</option>
+			<option value="exclude_30d">nicht lernen: 30 Tage</option>
+			<option value="exclude_forever">nicht lernen: dauerhaft</option>
+		</select>
+
       <input name="note" placeholder="Notiz" value="{{.AnalystNote}}">
       <button type="submit">Speichern</button>
     </form>
@@ -1334,6 +1346,28 @@ func main() {
 	}
 }
 
+func (s *server) createBaselineExclusionFromDetection(ctx context.Context, det Detection, reason, createdBy string, hours int) error {
+	var expiresAt any = nil
+	if hours > 0 {
+		expiresAt = time.Now().UTC().Add(time.Duration(hours) * time.Hour)
+	}
+
+	_, err := s.db.ExecContext(ctx, `
+INSERT INTO baseline_exclusions
+(hostname, channel_name, event_id, reason, created_by, expires_at, enabled)
+VALUES (?, ?, ?, ?, ?, ?, 1)
+`,
+		det.Hostname,
+		det.Channel,
+		det.EventID,
+		reason,
+		createdBy,
+		expiresAt,
+	)
+
+	return err
+}
+
 func (s *server) handleUIDetectionUpdate(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
 		writeError(w, http.StatusMethodNotAllowed, "method not allowed")
@@ -1360,7 +1394,7 @@ func (s *server) handleUIDetectionUpdate(w http.ResponseWriter, r *http.Request)
 	}
 
 	switch status {
-	case "open", "acknowledged", "investigating", "legitimate", "false_positive", "resolved", "suppressed":
+	case "open", "acknowledged", "investigating", "legitimate", "false_positive", "resolved", "suppressed", "confirmed_incident":
 	default:
 		writeError(w, http.StatusBadRequest, "invalid status")
 		return
@@ -1419,6 +1453,64 @@ WHERE id = ?
 		}
 	}
 
+	baselineAction := strings.TrimSpace(r.FormValue("baseline_action"))
+
+	if baselineAction != "" {
+		det, err := s.getDetectionByID(ctx, id)
+		if err != nil {
+			s.logger.Printf("get detection for baseline exclusion: %v", err)
+			writeError(w, http.StatusInternalServerError, "internal error")
+			return
+		}
+
+		hours := 0
+
+		switch baselineAction {
+		case "exclude_24h":
+			hours = 24
+		case "exclude_7d":
+			hours = 168
+		case "exclude_30d":
+			hours = 720
+		case "exclude_forever":
+			hours = 0
+		default:
+			writeError(w, http.StatusBadRequest, "invalid baseline action")
+			return
+		}
+
+		reason := note
+		if reason == "" {
+			reason = fmt.Sprintf("Baseline exclusion via UI wegen Status %s", status)
+		}
+
+		if err := s.createBaselineExclusionFromDetection(ctx, det, reason, reviewedBy, hours); err != nil {
+			s.logger.Printf("create baseline exclusion: %v", err)
+			writeError(w, http.StatusInternalServerError, "internal error")
+			return
+		}
+	}
+
+	if status == "confirmed_incident" && baselineAction == "" {
+		det, err := s.getDetectionByID(ctx, id)
+		if err != nil {
+			s.logger.Printf("get detection for confirmed incident exclusion: %v", err)
+			writeError(w, http.StatusInternalServerError, "internal error")
+			return
+		}
+
+		reason := note
+		if reason == "" {
+			reason = "Confirmed incident: nicht in Baseline einlernen"
+		}
+
+		if err := s.createBaselineExclusionFromDetection(ctx, det, reason, reviewedBy, 168); err != nil {
+			s.logger.Printf("create confirmed incident baseline exclusion: %v", err)
+			writeError(w, http.StatusInternalServerError, "internal error")
+			return
+		}
+	}
+
 	redirect := strings.TrimSpace(r.FormValue("redirect"))
 	if redirect == "" {
 		redirect = "/ui/detections"
@@ -1427,6 +1519,30 @@ WHERE id = ?
 	http.Redirect(w, r, redirect, http.StatusSeeOther)
 }
 
+func (d *detector) isBaselineExcluded(ctx context.Context, hostname, channel string, eventID uint32) (bool, error) {
+	var count int
+
+	err := d.db.QueryRowContext(ctx, `
+SELECT COUNT(*)
+FROM baseline_exclusions
+WHERE enabled = 1
+  AND (hostname = '' OR hostname = ?)
+  AND (channel_name = '' OR channel_name = ?)
+  AND (event_id = 0 OR event_id = ?)
+  AND (expires_at IS NULL OR expires_at > UTC_TIMESTAMP(6))
+`,
+		hostname,
+		channel,
+		eventID,
+	).Scan(&count)
+
+	if err != nil {
+		return false, err
+	}
+
+	return count > 0, nil
+}
+
 func (s *server) getDetectionByID(ctx context.Context, id uint64) (Detection, error) {
 	const q = `
 SELECT id, rule_name, severity, hostname, channel_name, event_id, score,
@@ -2828,6 +2944,22 @@ GROUP BY hostname, channel_name, event_id, HOUR(ts), WEEKDAY(ts)
 			return err
 		}
 
+		excluded, err := d.isBaselineExcluded(ctx, b.Hostname, b.Channel, b.EventID)
+		if err != nil {
+			return err
+		}
+		if excluded {
+			continue
+		}
+
+		incident, err := d.hasConfirmedIncidentInWindow(ctx, b.Hostname, b.Channel, b.EventID, windowStart, windowEnd)
+		if err != nil {
+			return err
+		}
+		if incident {
+			continue
+		}
+
 		if err := d.updateBaselineBucket(ctx, b); err != nil {
 			return err
 		}
@@ -2836,6 +2968,33 @@ GROUP BY hostname, channel_name, event_id, HOUR(ts), WEEKDAY(ts)
 	return rows.Err()
 }
 
+func (d *detector) hasConfirmedIncidentInWindow(ctx context.Context, hostname, channel string, eventID uint32, windowStart, windowEnd time.Time) (bool, error) {
+	var count int
+
+	err := d.db.QueryRowContext(ctx, `
+SELECT COUNT(*)
+FROM detections
+WHERE status = 'confirmed_incident'
+  AND hostname = ?
+  AND channel_name = ?
+  AND event_id = ?
+  AND window_start < ?
+  AND window_end > ?
+`,
+		hostname,
+		channel,
+		eventID,
+		windowEnd,
+		windowStart,
+	).Scan(&count)
+
+	if err != nil {
+		return false, err
+	}
+
+	return count > 0, nil
+}
+
 func (d *detector) updateBaselineBucket(ctx context.Context, b BaselineBucket) error {
 	tx, err := d.db.BeginTx(ctx, nil)
 	if err != nil {