Risk-Score anpassen, da Open zu einer zu hohen Welle führt. Jeder Host ist binnen Minuten Critical
All checks were successful
release-tag / release-image (push) Successful in 2m18s
All checks were successful
release-tag / release-image (push) Successful in 2m18s
This commit is contained in:
68
main.go
68
main.go
@@ -4134,27 +4134,27 @@ GROUP BY e.hostname, e.target_user, e.src_ip, e.workstation
|
||||
func riskWeight(severity string) float64 {
|
||||
switch severity {
|
||||
case "critical":
|
||||
return 40
|
||||
return 25
|
||||
case "high":
|
||||
return 15
|
||||
return 10
|
||||
case "medium":
|
||||
return 5
|
||||
return 2
|
||||
case "low":
|
||||
return 1
|
||||
return 0.3
|
||||
case "info":
|
||||
return 0.5
|
||||
return 0.05
|
||||
default:
|
||||
return 1
|
||||
return 0.2
|
||||
}
|
||||
}
|
||||
|
||||
func severityFromRisk(score float64) string {
|
||||
switch {
|
||||
case score >= 80:
|
||||
case score >= 120:
|
||||
return "critical"
|
||||
case score >= 40:
|
||||
case score >= 60:
|
||||
return "high"
|
||||
case score >= 15:
|
||||
case score >= 20:
|
||||
return "medium"
|
||||
case score >= 5:
|
||||
return "low"
|
||||
@@ -4166,6 +4166,19 @@ func severityFromRisk(score float64) string {
|
||||
func (d *detector) runHostRiskScoreUpdate(ctx context.Context) error {
|
||||
windowStart := time.Now().UTC().Add(-d.cfg.RiskScoreWindow)
|
||||
|
||||
if _, err := d.db.ExecContext(ctx, `
|
||||
UPDATE host_risk_scores
|
||||
SET risk_score = 0,
|
||||
severity = 'info',
|
||||
open_detections = 0,
|
||||
high_detections = 0,
|
||||
critical_detections = 0,
|
||||
confirmed_incidents = 0,
|
||||
updated_at = UTC_TIMESTAMP(6)
|
||||
`); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
rows, err := d.db.QueryContext(ctx, `
|
||||
SELECT
|
||||
hostname,
|
||||
@@ -4175,7 +4188,7 @@ SELECT
|
||||
MAX(created_at) AS last_detection_at
|
||||
FROM detections
|
||||
WHERE created_at >= ?
|
||||
AND status NOT IN ('false_positive', 'suppressed')
|
||||
AND status NOT IN ('false_positive', 'suppressed', 'legitimate', 'resolved')
|
||||
GROUP BY hostname, severity, status
|
||||
`, windowStart)
|
||||
if err != nil {
|
||||
@@ -4203,19 +4216,28 @@ GROUP BY hostname, severity, status
|
||||
return err
|
||||
}
|
||||
|
||||
if _, ok := stats[host]; !ok {
|
||||
stats[host] = &agg{}
|
||||
}
|
||||
|
||||
a := stats[host]
|
||||
if a == nil {
|
||||
a = &agg{}
|
||||
stats[host] = a
|
||||
}
|
||||
|
||||
w := riskWeight(sev)
|
||||
if status == "confirmed_incident" {
|
||||
w += 50
|
||||
a.confirmedIncidents += count
|
||||
}
|
||||
|
||||
if status == "open" || status == "investigating" || status == "acknowledged" {
|
||||
switch status {
|
||||
case "confirmed_incident":
|
||||
w += 75
|
||||
a.confirmedIncidents += count
|
||||
case "investigating":
|
||||
w *= 2
|
||||
a.open += count
|
||||
case "acknowledged":
|
||||
w *= 0.5
|
||||
a.open += count
|
||||
case "open":
|
||||
w *= 0.35
|
||||
a.open += count
|
||||
default:
|
||||
a.open += count
|
||||
}
|
||||
|
||||
@@ -4226,7 +4248,8 @@ GROUP BY hostname, severity, status
|
||||
a.critical += count
|
||||
}
|
||||
|
||||
a.score += w * float64(count)
|
||||
// Dämpfung: 100 gleiche offene Events sollen nicht 100x hart zählen.
|
||||
a.score += w * math.Sqrt(float64(count))
|
||||
|
||||
if last.After(a.last) {
|
||||
a.last = last
|
||||
@@ -4266,7 +4289,10 @@ updated_at = UTC_TIMESTAMP(6)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
d.hostRiskScoreGauge.WithLabelValues(host, sev).Set(a.score)
|
||||
|
||||
if d.hostRiskScoreGauge != nil {
|
||||
d.hostRiskScoreGauge.WithLabelValues(host, sev).Set(a.score)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
|
||||
Reference in New Issue
Block a user