From c5bc52788b8b9e3a1752c1d95111362746646252 Mon Sep 17 00:00:00 2001 From: jbergner Date: Sun, 26 Apr 2026 10:09:44 +0200 Subject: [PATCH] =?UTF-8?q?Risk-Score=20anpassen,=20da=20Open=20zu=20einer?= =?UTF-8?q?=20zu=20hohen=20Welle=20f=C3=BChrt.=20Jeder=20Host=20ist=20binn?= =?UTF-8?q?en=20Minuten=20Critical?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.go | 68 +++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 47 insertions(+), 21 deletions(-) diff --git a/main.go b/main.go index b309ce0..90a12fd 100644 --- a/main.go +++ b/main.go @@ -4134,27 +4134,27 @@ GROUP BY e.hostname, e.target_user, e.src_ip, e.workstation func riskWeight(severity string) float64 { switch severity { case "critical": - return 40 + return 25 case "high": - return 15 + return 10 case "medium": - return 5 + return 2 case "low": - return 1 + return 0.3 case "info": - return 0.5 + return 0.05 default: - return 1 + return 0.2 } } func severityFromRisk(score float64) string { switch { - case score >= 80: + case score >= 120: return "critical" - case score >= 40: + case score >= 60: return "high" - case score >= 15: + case score >= 20: return "medium" case score >= 5: return "low" @@ -4166,6 +4166,19 @@ func severityFromRisk(score float64) string { func (d *detector) runHostRiskScoreUpdate(ctx context.Context) error { windowStart := time.Now().UTC().Add(-d.cfg.RiskScoreWindow) + if _, err := d.db.ExecContext(ctx, ` +UPDATE host_risk_scores +SET risk_score = 0, + severity = 'info', + open_detections = 0, + high_detections = 0, + critical_detections = 0, + confirmed_incidents = 0, + updated_at = UTC_TIMESTAMP(6) +`); err != nil { + return err + } + rows, err := d.db.QueryContext(ctx, ` SELECT hostname, @@ -4175,7 +4188,7 @@ SELECT MAX(created_at) AS last_detection_at FROM detections WHERE created_at >= ? - AND status NOT IN ('false_positive', 'suppressed') + AND status NOT IN ('false_positive', 'suppressed', 'legitimate', 'resolved') GROUP BY hostname, severity, status `, windowStart) if err != nil { @@ -4203,19 +4216,28 @@ GROUP BY hostname, severity, status return err } - if _, ok := stats[host]; !ok { - stats[host] = &agg{} - } - a := stats[host] + if a == nil { + a = &agg{} + stats[host] = a + } w := riskWeight(sev) - if status == "confirmed_incident" { - w += 50 - a.confirmedIncidents += count - } - if status == "open" || status == "investigating" || status == "acknowledged" { + switch status { + case "confirmed_incident": + w += 75 + a.confirmedIncidents += count + case "investigating": + w *= 2 + a.open += count + case "acknowledged": + w *= 0.5 + a.open += count + case "open": + w *= 0.35 + a.open += count + default: a.open += count } @@ -4226,7 +4248,8 @@ GROUP BY hostname, severity, status a.critical += count } - a.score += w * float64(count) + // Dämpfung: 100 gleiche offene Events sollen nicht 100x hart zählen. + a.score += w * math.Sqrt(float64(count)) if last.After(a.last) { a.last = last @@ -4266,7 +4289,10 @@ updated_at = UTC_TIMESTAMP(6) if err != nil { return err } - d.hostRiskScoreGauge.WithLabelValues(host, sev).Set(a.score) + + if d.hostRiskScoreGauge != nil { + d.hostRiskScoreGauge.WithLabelValues(host, sev).Set(a.score) + } } return nil