CREATE DATABASE IF NOT EXISTS eventcollector
  CHARACTER SET utf8mb4
  COLLATE utf8mb4_unicode_ci;

USE eventcollector;

CREATE TABLE IF NOT EXISTS agents (
    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
    hostname VARCHAR(255) NOT NULL,
    api_key_hash CHAR(64) NOT NULL,
    first_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
    last_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
    last_ip VARCHAR(64) NOT NULL DEFAULT '',
    is_enabled TINYINT(1) NOT NULL DEFAULT 1,
    PRIMARY KEY (id),
    UNIQUE KEY ux_agents_hostname (hostname),
    KEY ix_agents_last_seen (last_seen)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

CREATE TABLE IF NOT EXISTS event_logs (
    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
    agent_id BIGINT UNSIGNED NOT NULL,
    hostname VARCHAR(255) NOT NULL,
    channel_name VARCHAR(128) NOT NULL,
    event_id INT UNSIGNED NOT NULL,
    source VARCHAR(255) NOT NULL,
    computer VARCHAR(255) NOT NULL DEFAULT '',
    provider_name VARCHAR(255) NOT NULL DEFAULT '',
    level_value INT UNSIGNED NOT NULL DEFAULT 0,
    task_value INT UNSIGNED NOT NULL DEFAULT 0,
    opcode_value INT UNSIGNED NOT NULL DEFAULT 0,
    keywords VARCHAR(255) NOT NULL DEFAULT '',
    target_user VARCHAR(255) NOT NULL DEFAULT '',
    target_domain VARCHAR(255) NOT NULL DEFAULT '',
    subject_user VARCHAR(255) NOT NULL DEFAULT '',
    subject_domain VARCHAR(255) NOT NULL DEFAULT '',
    workstation VARCHAR(255) NOT NULL DEFAULT '',
    src_ip VARCHAR(64) NOT NULL DEFAULT '',
    src_port VARCHAR(32) NOT NULL DEFAULT '',
    logon_type VARCHAR(32) NOT NULL DEFAULT '',
    process_name VARCHAR(512) NOT NULL DEFAULT '',
    authentication_package VARCHAR(128) NOT NULL DEFAULT '',
    logon_process VARCHAR(128) NOT NULL DEFAULT '',
    status_text VARCHAR(64) NOT NULL DEFAULT '',
    sub_status_text VARCHAR(64) NOT NULL DEFAULT '',
    failure_reason VARCHAR(512) NOT NULL DEFAULT '',
    ts DATETIME(6) NOT NULL,
    received_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
    msg LONGTEXT NOT NULL,
    msg_sha256 CHAR(64) NOT NULL,
    PRIMARY KEY (id),
    KEY ix_event_logs_ts (ts),
    KEY ix_event_logs_received_at (received_at),
    KEY ix_event_logs_agent_ts (agent_id, ts),
    KEY ix_event_logs_eventid_ts (event_id, ts),
    KEY ix_event_logs_hostname_ts (hostname, ts),
    KEY ix_event_logs_channel_event_ts (channel_name, event_id, ts),
    KEY ix_event_logs_target_user_ts (target_user, ts),
    KEY ix_event_logs_src_ip_ts (src_ip, ts),
    KEY ix_event_logs_target_user_src_ip_ts (target_user, src_ip, ts),
    KEY ix_event_logs_eventid_srcip_ts (event_id, src_ip, ts),
    KEY ix_event_logs_eventid_targetuser_ts (event_id, target_user, ts),
    KEY ix_event_logs_eventid_logontype_ts (event_id, logon_type, ts),
    CONSTRAINT fk_event_logs_agent
        FOREIGN KEY (agent_id) REFERENCES agents(id)
        ON DELETE RESTRICT
        ON UPDATE RESTRICT
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

CREATE TABLE IF NOT EXISTS detections (
    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
    rule_name VARCHAR(128) NOT NULL,
    severity VARCHAR(32) NOT NULL,
    hostname VARCHAR(255) NOT NULL,
    channel_name VARCHAR(128) NOT NULL DEFAULT '',
    event_id INT UNSIGNED NOT NULL DEFAULT 0,
    score DOUBLE NOT NULL DEFAULT 0,
    window_start DATETIME(6) NOT NULL,
    window_end DATETIME(6) NOT NULL,
    summary VARCHAR(512) NOT NULL,
    details_json JSON NOT NULL,
    created_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
    PRIMARY KEY (id),
    UNIQUE KEY ux_detection_dedupe (rule_name, hostname, channel_name, event_id, window_start, window_end),
    KEY ix_detections_created (created_at),
    KEY ix_detections_rule_host_time (rule_name, hostname, created_at),
    KEY ix_detections_severity_time (severity, created_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;