CREATE DATABASE IF NOT EXISTS eventcollector
  CHARACTER SET utf8mb4
  COLLATE utf8mb4_unicode_ci;

USE eventcollector;

CREATE TABLE IF NOT EXISTS agents (
    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
    hostname VARCHAR(255) NOT NULL,
    api_key_hash CHAR(64) NOT NULL,
    first_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
    last_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
    last_ip VARCHAR(64) NOT NULL DEFAULT '',
    is_enabled TINYINT(1) NOT NULL DEFAULT 1,
    PRIMARY KEY (id),
    UNIQUE KEY ux_agents_hostname (hostname),
    KEY ix_agents_last_seen (last_seen)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

CREATE TABLE IF NOT EXISTS event_logs (
    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
    agent_id BIGINT UNSIGNED NOT NULL,
    hostname VARCHAR(255) NOT NULL,
    channel_name VARCHAR(128) NOT NULL,
    event_id INT UNSIGNED NOT NULL,
    source VARCHAR(255) NOT NULL,
    ts DATETIME(6) NOT NULL,
    received_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
    msg LONGTEXT NOT NULL,
    msg_sha256 CHAR(64) NOT NULL,
    PRIMARY KEY (id),
    KEY ix_event_logs_ts (ts),
    KEY ix_event_logs_received_at (received_at),
    KEY ix_event_logs_agent_ts (agent_id, ts),
    KEY ix_event_logs_eventid_ts (event_id, ts),
    KEY ix_event_logs_hostname_ts (hostname, ts),
    KEY ix_event_logs_channel_event_ts (channel_name, event_id, ts),
    CONSTRAINT fk_event_logs_agent
        FOREIGN KEY (agent_id) REFERENCES agents(id)
        ON DELETE RESTRICT
        ON UPDATE RESTRICT
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

CREATE TABLE IF NOT EXISTS detections (
    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
    rule_name VARCHAR(128) NOT NULL,
    severity VARCHAR(32) NOT NULL,
    hostname VARCHAR(255) NOT NULL,
    channel_name VARCHAR(128) NOT NULL DEFAULT '',
    event_id INT UNSIGNED NOT NULL DEFAULT 0,
    score DOUBLE NOT NULL DEFAULT 0,
    window_start DATETIME(6) NOT NULL,
    window_end DATETIME(6) NOT NULL,
    summary VARCHAR(512) NOT NULL,
    details_json JSON NOT NULL,
    created_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
    PRIMARY KEY (id),
    UNIQUE KEY ux_detection_dedupe (rule_name, hostname, channel_name, event_id, window_start, window_end),
    KEY ix_detections_created (created_at),
    KEY ix_detections_rule_host_time (rule_name, hostname, created_at),
    KEY ix_detections_severity_time (severity, created_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

USE eventcollector;

INSERT INTO agents (hostname, api_key_hash)
VALUES
  ('client01.domain.local', SHA2('SUPER-LANGER-AGENT-KEY-01', 256)),
  ('client02.domain.local', SHA2('SUPER-LANGER-AGENT-KEY-02', 256));

  #V2

  ALTER TABLE event_logs
    ADD COLUMN computer VARCHAR(255) NOT NULL DEFAULT '' AFTER source,
    ADD COLUMN provider_name VARCHAR(255) NOT NULL DEFAULT '' AFTER computer,
    ADD COLUMN level_value INT UNSIGNED NOT NULL DEFAULT 0 AFTER provider_name,
    ADD COLUMN task_value INT UNSIGNED NOT NULL DEFAULT 0 AFTER level_value,
    ADD COLUMN opcode_value INT UNSIGNED NOT NULL DEFAULT 0 AFTER task_value,
    ADD COLUMN keywords VARCHAR(255) NOT NULL DEFAULT '' AFTER opcode_value,
    ADD COLUMN target_user VARCHAR(255) NOT NULL DEFAULT '' AFTER keywords,
    ADD COLUMN target_domain VARCHAR(255) NOT NULL DEFAULT '' AFTER target_user,
    ADD COLUMN subject_user VARCHAR(255) NOT NULL DEFAULT '' AFTER target_domain,
    ADD COLUMN subject_domain VARCHAR(255) NOT NULL DEFAULT '' AFTER subject_user,
    ADD COLUMN workstation VARCHAR(255) NOT NULL DEFAULT '' AFTER subject_domain,
    ADD COLUMN src_ip VARCHAR(64) NOT NULL DEFAULT '' AFTER workstation,
    ADD COLUMN src_port VARCHAR(32) NOT NULL DEFAULT '' AFTER src_ip,
    ADD COLUMN logon_type VARCHAR(32) NOT NULL DEFAULT '' AFTER src_port,
    ADD COLUMN process_name VARCHAR(512) NOT NULL DEFAULT '' AFTER logon_type,
    ADD COLUMN authentication_package VARCHAR(128) NOT NULL DEFAULT '' AFTER process_name,
    ADD COLUMN logon_process VARCHAR(128) NOT NULL DEFAULT '' AFTER authentication_package,
    ADD COLUMN status_text VARCHAR(64) NOT NULL DEFAULT '' AFTER logon_process,
    ADD COLUMN sub_status_text VARCHAR(64) NOT NULL DEFAULT '' AFTER status_text,
    ADD COLUMN failure_reason VARCHAR(512) NOT NULL DEFAULT '' AFTER sub_status_text;

ALTER TABLE event_logs
    ADD KEY ix_event_logs_target_user_ts (target_user, ts),
    ADD KEY ix_event_logs_src_ip_ts (src_ip, ts),
    ADD KEY ix_event_logs_target_user_src_ip_ts (target_user, src_ip, ts),
    ADD KEY ix_event_logs_eventid_srcip_ts (event_id, src_ip, ts),
    ADD KEY ix_event_logs_eventid_targetuser_ts (event_id, target_user, ts),
    ADD KEY ix_event_logs_eventid_logontype_ts (event_id, logon_type, ts);