sendnrw/siem-backend
2
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
siem-backend/deploy/mariadb/init/001-schema.sql
Jan 74433d5dc6
All checks were successful
release-tag / release-image (push) Successful in 5m58s
Details
deploy/mariadb/init/001-schema.sql aktualisiert
2026-05-02 18:27:08 +00:00

2159 lines
44 KiB
SQL
Raw Permalink Blame History

-- SIEM-lite vollständiges MariaDB-kompatibles Datenbankschema
-- Stand: Partitionierung event_logs/event_logs_raw, 3h-Partitionen, Raw-XML-Auslagerung,
-- Baseline-Buckets, UEBA, SOC/Risk, UI-Bewertungen.
--
-- Getestet/ausgelegt für MariaDB/MySQL InnoDB.
--
-- WICHTIG:
-- 1. Dieses Script löscht bestehende Tabellen.
-- 2. Partitionierung erfolgt nach DATETIME(6)-Spalte ts.
-- 3. MariaDB erlaubt ON UPDATE UTC_TIMESTAMP(6) nicht zuverlässig.
-- Deshalb nutzt dieses Schema DEFAULT CURRENT_TIMESTAMP(6) / ON UPDATE CURRENT_TIMESTAMP(6).
-- 4. Stelle für echte UTC-Speicherung im Go-DSN zusätzlich die DB-Session auf UTC:
-- ?parseTime=true&loc=UTC&time_zone=%27%2B00%3A00%27
-- oder setze beim Verbindungsaufbau SET time_zone = '+00:00'.
-- 5. Spalten in zusammengesetzten Keys wurden auf VARCHAR(191) begrenzt,
-- damit utf8mb4 und 3072-Byte-Key-Limit keine Fehler erzeugen.
SET NAMES utf8mb4;
SET time_zone = '+00:00';
SET FOREIGN_KEY_CHECKS = 0;
DROP PROCEDURE IF EXISTS ensure_siem_partitions;
DROP TABLE IF EXISTS event_count_buckets;
DROP TABLE IF EXISTS ueba_context_buckets;
DROP TABLE IF EXISTS host_risk_scores;
DROP TABLE IF EXISTS baseline_exclusions;
DROP TABLE IF EXISTS baseline_event_stats;
DROP TABLE IF EXISTS detection_suppressions;
DROP TABLE IF EXISTS detections;
DROP TABLE IF EXISTS detection_rules;
DROP TABLE IF EXISTS user_privilege_baseline;
DROP TABLE IF EXISTS user_source_ip_seen;
DROP TABLE IF EXISTS ueba_user_baseline;
DROP TABLE IF EXISTS privileged_users;
DROP TABLE IF EXISTS event_logs_raw;
DROP TABLE IF EXISTS event_logs;
DROP TABLE IF EXISTS agents;
SET FOREIGN_KEY_CHECKS = 1;
-- ---------------------------------------------------------------------
-- Agents
-- ---------------------------------------------------------------------
CREATE TABLE agents (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
hostname VARCHAR(191) NOT NULL,
api_key_hash CHAR(64) NOT NULL,
first_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
last_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
last_ip VARCHAR(64) NOT NULL DEFAULT '',
is_enabled TINYINT(1) NOT NULL DEFAULT 1,
PRIMARY KEY (id),
UNIQUE KEY uq_agents_hostname (hostname),
KEY idx_agents_enabled_last_seen (is_enabled, last_seen),
KEY idx_agents_last_seen (last_seen)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- ---------------------------------------------------------------------
-- Event Logs, normalisierte Haupttabelle
-- ---------------------------------------------------------------------
CREATE TABLE event_logs (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
ts DATETIME(6) NOT NULL,
agent_id BIGINT UNSIGNED NOT NULL,
hostname VARCHAR(191) NOT NULL,
channel_name VARCHAR(128) NOT NULL,
event_id INT UNSIGNED NOT NULL,
source VARCHAR(191) NOT NULL DEFAULT '',
computer VARCHAR(191) NOT NULL DEFAULT '',
provider_name VARCHAR(191) NOT NULL DEFAULT '',
level_value INT UNSIGNED NOT NULL DEFAULT 0,
task_value INT UNSIGNED NOT NULL DEFAULT 0,
opcode_value INT UNSIGNED NOT NULL DEFAULT 0,
keywords VARCHAR(191) NOT NULL DEFAULT '',
target_user VARCHAR(191) NOT NULL DEFAULT '',
target_user_norm VARCHAR(191) NOT NULL DEFAULT '',
target_domain VARCHAR(191) NOT NULL DEFAULT '',
subject_user VARCHAR(191) NOT NULL DEFAULT '',
subject_user_norm VARCHAR(191) NOT NULL DEFAULT '',
subject_domain VARCHAR(191) NOT NULL DEFAULT '',
workstation VARCHAR(191) NOT NULL DEFAULT '',
src_ip VARCHAR(64) NOT NULL DEFAULT '',
src_port VARCHAR(32) NOT NULL DEFAULT '',
logon_type VARCHAR(32) NOT NULL DEFAULT '',
process_name VARCHAR(768) NOT NULL DEFAULT '',
authentication_package VARCHAR(128) NOT NULL DEFAULT '',
logon_process VARCHAR(128) NOT NULL DEFAULT '',
status_text VARCHAR(128) NOT NULL DEFAULT '',
sub_status_text VARCHAR(128) NOT NULL DEFAULT '',
failure_reason VARCHAR(768) NOT NULL DEFAULT '',
received_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
msg_sha256 CHAR(64) NOT NULL,
-- Optionaler Kompatibilitätsrest. Raw XML gehört in event_logs_raw.
msg MEDIUMTEXT NULL,
PRIMARY KEY (id, ts),
KEY idx_event_logs_id (id),
KEY idx_event_logs_agent_ts (agent_id, ts),
KEY idx_event_logs_ts_host_channel_event (ts, hostname, channel_name, event_id),
KEY idx_event_logs_hostname_ts (hostname, ts),
KEY idx_event_logs_channel_event_ts (channel_name, event_id, ts),
KEY idx_event_logs_target_user_norm_ts (target_user_norm, ts),
KEY idx_event_logs_subject_user_norm_ts (subject_user_norm, ts),
KEY idx_event_logs_src_ip_ts (src_ip, ts),
KEY idx_event_logs_security_logon_user (
channel_name,
event_id,
ts,
target_user_norm,
hostname,
src_ip
),
KEY idx_event_logs_ueba_context (
channel_name,
event_id,
ts,
hostname,
target_user_norm,
src_ip,
workstation
),
KEY idx_event_logs_password_spray (
channel_name,
event_id,
ts,
src_ip,
target_user_norm,
hostname
),
KEY idx_event_logs_dedupe_lookup (
hostname,
channel_name,
event_id,
ts,
msg_sha256
)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
PARTITION BY RANGE COLUMNS(ts) (
PARTITION pmax VALUES LESS THAN (MAXVALUE)
);
-- ---------------------------------------------------------------------
-- Raw XML Tabelle
-- ---------------------------------------------------------------------
CREATE TABLE event_logs_raw (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
event_log_id BIGINT UNSIGNED NOT NULL,
ts DATETIME(6) NOT NULL,
msg_sha256 CHAR(64) NOT NULL,
msg LONGBLOB NOT NULL,
is_gzip TINYINT(1) NOT NULL DEFAULT 0,
created_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
PRIMARY KEY (id, ts),
KEY idx_event_logs_raw_id (id),
KEY idx_event_logs_raw_event_log_id (event_log_id),
KEY idx_event_logs_raw_ts (ts),
KEY idx_event_logs_raw_sha (msg_sha256),
UNIQUE KEY uq_event_logs_raw_event_ts (event_log_id, ts)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
PARTITION BY RANGE COLUMNS(ts) (
PARTITION pmax VALUES LESS THAN (MAXVALUE)
);
-- ---------------------------------------------------------------------
-- Detection-Regeln
-- ---------------------------------------------------------------------
CREATE TABLE detection_rules (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
name VARCHAR(191) NOT NULL,
description TEXT NULL,
severity ENUM('info','low','medium','high','critical') NOT NULL DEFAULT 'medium',
channel VARCHAR(512) NOT NULL DEFAULT 'Security',
event_ids VARCHAR(1024) NOT NULL,
match_field VARCHAR(128) NOT NULL DEFAULT '',
match_operator ENUM('', 'eq', 'contains', 'in') NOT NULL DEFAULT '',
match_value TEXT NULL,
threshold_count INT NOT NULL DEFAULT 1,
threshold_window_seconds INT NOT NULL DEFAULT 0,
suppress_for_seconds INT NOT NULL DEFAULT 3600,
enabled TINYINT(1) NOT NULL DEFAULT 1,
created_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
updated_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6),
PRIMARY KEY (id),
UNIQUE KEY uq_detection_rules_name (name),
KEY idx_detection_rules_enabled (enabled)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- ---------------------------------------------------------------------
-- Detections
-- ---------------------------------------------------------------------
CREATE TABLE detections (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
rule_name VARCHAR(191) NOT NULL,
severity ENUM('info','low','medium','high','critical') NOT NULL DEFAULT 'medium',
hostname VARCHAR(191) NOT NULL DEFAULT '',
channel_name VARCHAR(128) NOT NULL DEFAULT '',
event_id INT UNSIGNED NOT NULL DEFAULT 0,
score DOUBLE NOT NULL DEFAULT 0,
window_start DATETIME(6) NOT NULL,
window_end DATETIME(6) NOT NULL,
summary TEXT NOT NULL,
details_json LONGTEXT NULL CHECK (JSON_VALID(details_json)),
status ENUM(
'open',
'acknowledged',
'investigating',
'plausible',
'legitimate',
'false_positive',
'resolved',
'suppressed',
'confirmed_incident'
) NOT NULL DEFAULT 'open',
analyst_note TEXT NULL,
reviewed_by VARCHAR(191) NOT NULL DEFAULT '',
reviewed_at DATETIME(6) NULL,
is_false_positive TINYINT(1) NOT NULL DEFAULT 0,
is_legitimate TINYINT(1) NOT NULL DEFAULT 0,
created_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
PRIMARY KEY (id),
UNIQUE KEY uq_detection_dedupe (
rule_name,
hostname,
channel_name,
event_id,
window_start,
window_end
),
KEY idx_detections_created (created_at),
KEY idx_detections_status_created (status, created_at),
KEY idx_detections_severity_created (severity, created_at),
KEY idx_detections_host_created (hostname, created_at),
KEY idx_detections_rule_host_created (rule_name, hostname, created_at),
KEY idx_detections_created_status_severity_host (
created_at,
status,
severity,
hostname
),
KEY idx_detections_window (
hostname,
window_start,
window_end
),
KEY idx_detections_soc (
status,
severity,
hostname,
created_at
)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- ---------------------------------------------------------------------
-- Detection Suppressions
-- ---------------------------------------------------------------------
CREATE TABLE detection_suppressions (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
rule_name VARCHAR(191) NOT NULL,
hostname VARCHAR(191) NOT NULL DEFAULT '',
channel_name VARCHAR(128) NOT NULL DEFAULT '',
event_id INT UNSIGNED NOT NULL DEFAULT 0,
reason TEXT NULL,
created_by VARCHAR(191) NOT NULL DEFAULT '',
created_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
expires_at DATETIME(6) NULL,
enabled TINYINT(1) NOT NULL DEFAULT 1,
PRIMARY KEY (id),
KEY idx_detection_suppressions_lookup (
enabled,
rule_name,
hostname,
channel_name,
event_id,
expires_at
),
KEY idx_detection_suppressions_expires (expires_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- ---------------------------------------------------------------------
-- Event Count Buckets für Baseline
-- ---------------------------------------------------------------------
CREATE TABLE event_count_buckets (
bucket_start DATETIME(6) NOT NULL,
bucket_end DATETIME(6) NOT NULL,
hostname VARCHAR(191) NOT NULL,
channel_name VARCHAR(128) NOT NULL,
event_id INT UNSIGNED NOT NULL,
cnt BIGINT UNSIGNED NOT NULL DEFAULT 0,
first_event_ts DATETIME(6) NULL,
last_event_ts DATETIME(6) NULL,
finalized TINYINT(1) NOT NULL DEFAULT 0,
anomaly_checked_at DATETIME(6) NULL,
learned_at DATETIME(6) NULL,
updated_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6),
PRIMARY KEY (bucket_start, hostname, channel_name, event_id),
KEY idx_event_count_buckets_lookup (
hostname,
channel_name,
event_id,
bucket_start
),
KEY idx_event_count_buckets_anomaly (
finalized,
anomaly_checked_at,
bucket_start
),
KEY idx_event_count_buckets_learn (
finalized,
learned_at,
bucket_start
),
KEY idx_event_count_buckets_time (
bucket_start,
bucket_end
)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- ---------------------------------------------------------------------
-- Baseline Stats
-- ---------------------------------------------------------------------
CREATE TABLE baseline_event_stats (
hostname VARCHAR(191) NOT NULL,
channel_name VARCHAR(128) NOT NULL,
event_id INT UNSIGNED NOT NULL,
hour_of_day TINYINT UNSIGNED NOT NULL,
day_of_week TINYINT UNSIGNED NOT NULL,
avg_count DOUBLE NOT NULL DEFAULT 0,
m2_count DOUBLE NOT NULL DEFAULT 0,
stddev_count DOUBLE NOT NULL DEFAULT 0,
sample_count INT NOT NULL DEFAULT 0,
first_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
last_updated DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6),
PRIMARY KEY (
hostname,
channel_name,
event_id,
hour_of_day,
day_of_week
),
KEY idx_baseline_event_stats_event (
channel_name,
event_id,
hour_of_day,
day_of_week
),
KEY idx_baseline_event_stats_updated (last_updated)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
CREATE TABLE baseline_exclusions (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
hostname VARCHAR(191) NOT NULL DEFAULT '',
channel_name VARCHAR(128) NOT NULL DEFAULT '',
event_id INT UNSIGNED NOT NULL DEFAULT 0,
reason TEXT NULL,
created_by VARCHAR(191) NOT NULL DEFAULT '',
created_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
expires_at DATETIME(6) NULL,
enabled TINYINT(1) NOT NULL DEFAULT 1,
PRIMARY KEY (id),
KEY idx_baseline_exclusions_lookup (
enabled,
hostname,
channel_name,
event_id,
expires_at
),
KEY idx_baseline_exclusions_expires (expires_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- ---------------------------------------------------------------------
-- UEBA Tabellen
-- ---------------------------------------------------------------------
CREATE TABLE ueba_user_baseline (
username VARCHAR(191) NOT NULL,
hostname VARCHAR(191) NOT NULL,
src_ip VARCHAR(64) NOT NULL,
workstation VARCHAR(191) NOT NULL,
first_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
last_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
seen_count BIGINT UNSIGNED NOT NULL DEFAULT 0,
PRIMARY KEY (username, hostname, src_ip, workstation),
KEY idx_ueba_user_baseline_last_seen (last_seen),
KEY idx_ueba_user_baseline_user_last_seen (username, last_seen),
KEY idx_ueba_user_baseline_host_last_seen (hostname, last_seen)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
CREATE TABLE user_source_ip_seen (
username VARCHAR(191) NOT NULL,
src_ip VARCHAR(64) NOT NULL,
hostname VARCHAR(191) NOT NULL,
first_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
last_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
seen_count BIGINT UNSIGNED NOT NULL DEFAULT 0,
PRIMARY KEY (username, src_ip, hostname),
KEY idx_user_source_ip_seen_last_seen (last_seen),
KEY idx_user_source_ip_seen_user_last_seen (username, last_seen),
KEY idx_user_source_ip_seen_src_ip_last_seen (src_ip, last_seen)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
CREATE TABLE user_privilege_baseline (
username VARCHAR(191) NOT NULL,
first_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
last_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
seen_count BIGINT UNSIGNED NOT NULL DEFAULT 0,
PRIMARY KEY (username),
KEY idx_user_privilege_baseline_last_seen (last_seen)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
CREATE TABLE ueba_context_buckets (
bucket_start DATETIME(6) NOT NULL,
bucket_end DATETIME(6) NOT NULL,
username VARCHAR(191) NOT NULL,
hostname VARCHAR(191) NOT NULL,
src_ip VARCHAR(64) NOT NULL,
workstation VARCHAR(191) NOT NULL,
cnt BIGINT UNSIGNED NOT NULL DEFAULT 0,
first_event_ts DATETIME(6) NULL,
last_event_ts DATETIME(6) NULL,
finalized TINYINT(1) NOT NULL DEFAULT 0,
checked_at DATETIME(6) NULL,
learned_at DATETIME(6) NULL,
updated_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6),
PRIMARY KEY (
bucket_start,
username,
hostname,
src_ip,
workstation
),
KEY idx_ueba_context_check (
finalized,
checked_at,
bucket_start
),
KEY idx_ueba_context_learn (
finalized,
learned_at,
bucket_start
),
KEY idx_ueba_context_lookup (
username,
hostname,
src_ip,
workstation,
bucket_start
)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- ---------------------------------------------------------------------
-- Privileged Users
-- ---------------------------------------------------------------------
CREATE TABLE privileged_users (
username VARCHAR(191) NOT NULL,
reason TEXT NULL,
enabled TINYINT(1) NOT NULL DEFAULT 1,
created_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
updated_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6),
PRIMARY KEY (username),
KEY idx_privileged_users_enabled (enabled)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- ---------------------------------------------------------------------
-- Host Risk Scores / SOC
-- ---------------------------------------------------------------------
CREATE TABLE host_risk_scores (
hostname VARCHAR(191) NOT NULL,
risk_score DOUBLE NOT NULL DEFAULT 0,
severity ENUM('info','low','medium','high','critical') NOT NULL DEFAULT 'info',
open_detections INT NOT NULL DEFAULT 0,
high_detections INT NOT NULL DEFAULT 0,
critical_detections INT NOT NULL DEFAULT 0,
confirmed_incidents INT NOT NULL DEFAULT 0,
last_detection_at DATETIME(6) NULL,
updated_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6),
PRIMARY KEY (hostname),
KEY idx_host_risk_scores_risk (risk_score),
KEY idx_host_risk_scores_severity_risk (severity, risk_score),
KEY idx_host_risk_scores_updated (updated_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- ---------------------------------------------------------------------
-- Partition Management Stored Procedure
-- Erzeugt 3h-Partitionen von UTC now - 6h bis UTC now + 24h.
-- ---------------------------------------------------------------------
DELIMITER $$
CREATE PROCEDURE ensure_siem_partitions()
BEGIN
DECLARE v_start DATETIME;
DECLARE v_end DATETIME;
DECLARE v_current DATETIME;
DECLARE v_part_end DATETIME;
DECLARE v_part_name VARCHAR(32);
DECLARE v_exists INT DEFAULT 0;
SET v_start = FROM_UNIXTIME(FLOOR(UNIX_TIMESTAMP(UTC_TIMESTAMP()) / 10800) * 10800);
SET v_start = DATE_SUB(v_start, INTERVAL 6 HOUR);
SET v_end = DATE_ADD(FROM_UNIXTIME(FLOOR(UNIX_TIMESTAMP(UTC_TIMESTAMP()) / 10800) * 10800), INTERVAL 27 HOUR);
SET v_current = v_start;
WHILE v_current < v_end DO
SET v_part_end = DATE_ADD(v_current, INTERVAL 3 HOUR);
SET v_part_name = CONCAT('p', DATE_FORMAT(v_current, '%Y%m%d%H'));
SELECT COUNT(*)
INTO v_exists
FROM information_schema.PARTITIONS
WHERE TABLE_SCHEMA = DATABASE()
AND TABLE_NAME = 'event_logs'
AND PARTITION_NAME = v_part_name;
IF v_exists = 0 THEN
SET @sql_event_logs = CONCAT(
'ALTER TABLE event_logs REORGANIZE PARTITION pmax INTO (',
'PARTITION ', v_part_name, ' VALUES LESS THAN (''', DATE_FORMAT(v_part_end, '%Y-%m-%d %H:%i:%s'), '''),',
'PARTITION pmax VALUES LESS THAN (MAXVALUE))'
);
PREPARE stmt_event_logs FROM @sql_event_logs;
EXECUTE stmt_event_logs;
DEALLOCATE PREPARE stmt_event_logs;
END IF;
SELECT COUNT(*)
INTO v_exists
FROM information_schema.PARTITIONS
WHERE TABLE_SCHEMA = DATABASE()
AND TABLE_NAME = 'event_logs_raw'
AND PARTITION_NAME = v_part_name;
IF v_exists = 0 THEN
SET @sql_event_logs_raw = CONCAT(
'ALTER TABLE event_logs_raw REORGANIZE PARTITION pmax INTO (',
'PARTITION ', v_part_name, ' VALUES LESS THAN (''', DATE_FORMAT(v_part_end, '%Y-%m-%d %H:%i:%s'), '''),',
'PARTITION pmax VALUES LESS THAN (MAXVALUE))'
);
PREPARE stmt_event_logs_raw FROM @sql_event_logs_raw;
EXECUTE stmt_event_logs_raw;
DEALLOCATE PREPARE stmt_event_logs_raw;
END IF;
SET v_current = v_part_end;
END WHILE;
END$$
DELIMITER ;
CALL ensure_siem_partitions();
-- ---------------------------------------------------------------------
-- Initiale Beispielregeln
-- Optional. Kann gelöscht werden, wenn Regeln nur über UI gepflegt werden sollen.
-- ---------------------------------------------------------------------
INSERT INTO detection_rules
(
name,
description,
severity,
channel,
event_ids,
match_field,
match_operator,
match_value,
threshold_count,
threshold_window_seconds,
suppress_for_seconds,
enabled
)
VALUES
-- ============================================================
-- Kritische Manipulationen / Spurenverwischung
-- ============================================================
(
'v1_security_log_cleared',
'Security Log wurde gelöscht. Das ist fast immer sicherheitsrelevant.',
'high',
'Security',
'1102',
'',
'',
'',
1,
0,
86400,
1
),
(
'v1_audit_policy_changed',
'Audit Policy wurde geändert.',
'high',
'Security',
'4719',
'',
'',
'',
1,
0,
3600,
1
),
(
'v1_system_audit_policy_changed',
'System Audit Policy wurde geändert.',
'high',
'Security',
'4902,4904,4905,4906,4907,4908,4912',
'',
'',
'',
1,
0,
3600,
1
),
(
'v1_special_logon',
'Anmeldung mit speziellen Rechten erkannt.',
'medium',
'Security',
'4672',
'',
'',
'',
20,
300,
1800,
1
),
(
'v1_privileged_service_called',
'Privilegierter Dienst wurde aufgerufen.',
'medium',
'Security',
'4673,4674',
'',
'',
'',
10,
300,
1800,
1
),
-- ============================================================
-- Benutzerverwaltung
-- ============================================================
(
'v1_user_created',
'Neuer AD-Benutzer wurde erstellt.',
'medium',
'Security',
'4720',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_user_enabled',
'AD-Benutzer wurde aktiviert.',
'medium',
'Security',
'4722',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_user_disabled',
'AD-Benutzer wurde deaktiviert.',
'low',
'Security',
'4725',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_user_deleted',
'AD-Benutzer wurde gelöscht.',
'medium',
'Security',
'4726',
'',
'',
'',
1,
0,
3600,
1
),
(
'v1_user_changed',
'AD-Benutzerobjekt wurde geändert.',
'low',
'Security',
'4738',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_password_changed_by_user',
'Benutzer hat eigenes Passwort geändert.',
'low',
'Security',
'4723',
'',
'',
'',
1,
0,
900,
1
),
(
'v1_password_reset',
'Passwort wurde durch Admin oder berechtigten Benutzer zurückgesetzt.',
'medium',
'Security',
'4724',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_account_lockout',
'Benutzerkonto wurde gesperrt.',
'low',
'Security',
'4740',
'',
'',
'',
1,
0,
900,
1
),
(
'v1_account_lockout_spike',
'Viele Account Lockouts innerhalb kurzer Zeit.',
'medium',
'Security',
'4740',
'',
'',
'',
5,
300,
1800,
1
),
-- ============================================================
-- Gruppenverwaltung allgemein
-- ============================================================
(
'v1_security_group_created',
'Security-Gruppe wurde erstellt.',
'medium',
'Security',
'4727,4731,4754',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_security_group_deleted',
'Security-Gruppe wurde gelöscht.',
'medium',
'Security',
'4730,4734,4758',
'',
'',
'',
1,
0,
3600,
1
),
(
'v1_security_group_changed',
'Security-Gruppe wurde geändert.',
'medium',
'Security',
'4735,4737,4755',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_group_member_added',
'Mitglied wurde zu einer Security-Gruppe hinzugefügt.',
'medium',
'Security',
'4728,4732,4756',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_group_member_removed',
'Mitglied wurde aus einer Security-Gruppe entfernt.',
'medium',
'Security',
'4729,4733,4757',
'',
'',
'',
1,
0,
1800,
1
),
-- ============================================================
-- Privilegierte Gruppen
-- Achtung: target_user ist hier normalerweise der Gruppenname.
-- ============================================================
(
'v1_privileged_group_member_added',
'Mitglied wurde zu einer privilegierten AD-Gruppe hinzugefügt.',
'high',
'Security',
'4728,4732,4756',
'target_user',
'in',
'Domain Admins,Enterprise Admins,Schema Admins,Administrators,Account Operators,Server Operators,Backup Operators,Print Operators,DNSAdmins,Group Policy Creator Owners,Cert Publishers,Key Admins,Enterprise Key Admins',
1,
0,
3600,
1
),
(
'v1_privileged_group_member_removed',
'Mitglied wurde aus einer privilegierten AD-Gruppe entfernt.',
'medium',
'Security',
'4729,4733,4757',
'target_user',
'in',
'Domain Admins,Enterprise Admins,Schema Admins,Administrators,Account Operators,Server Operators,Backup Operators,Print Operators,DNSAdmins,Group Policy Creator Owners,Cert Publishers,Key Admins,Enterprise Key Admins',
1,
0,
3600,
1
),
(
'v1_domain_admins_changed',
'Änderung an Domain Admins erkannt.',
'high',
'Security',
'4728,4729,4735,4737',
'target_user',
'eq',
'Domain Admins',
1,
0,
3600,
1
),
(
'v1_enterprise_admins_changed',
'Änderung an Enterprise Admins erkannt.',
'high',
'Security',
'4728,4729,4735,4737',
'target_user',
'eq',
'Enterprise Admins',
1,
0,
3600,
1
),
(
'v1_schema_admins_changed',
'Änderung an Schema Admins erkannt.',
'high',
'Security',
'4728,4729,4735,4737',
'target_user',
'eq',
'Schema Admins',
1,
0,
3600,
1
),
(
'v1_dnsadmins_changed',
'Änderung an DNSAdmins erkannt. DNSAdmins können in vielen Umgebungen kritisch sein.',
'high',
'Security',
'4728,4729,4732,4733,4756,4757',
'target_user',
'eq',
'DNSAdmins',
1,
0,
3600,
1
),
-- ============================================================
-- Computer-Konten
-- ============================================================
(
'v1_computer_account_created',
'Computer-Konto wurde erstellt.',
'low',
'Security',
'4741',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_computer_account_changed',
'Computer-Konto wurde geändert.',
'low',
'Security',
'4742',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_computer_account_deleted',
'Computer-Konto wurde gelöscht.',
'medium',
'Security',
'4743',
'',
'',
'',
1,
0,
3600,
1
),
-- ============================================================
-- Kerberos / Authentifizierung
-- ============================================================
(
'v1_kerberos_preauth_failure',
'Kerberos PreAuth Fehler erkannt.',
'low',
'Security',
'4771',
'',
'',
'',
1,
0,
300,
1
),
(
'v1_kerberos_preauth_spike',
'Viele Kerberos PreAuth Fehler. Möglicher Password-Spray oder Bruteforce.',
'high',
'Security',
'4771',
'',
'',
'',
20,
300,
1800,
1
),
(
'v1_kerberos_tgt_failed_spike',
'Viele fehlgeschlagene Kerberos-TGT-Anfragen.',
'medium',
'Security',
'4768',
'',
'',
'',
30,
300,
1800,
1
),
(
'v1_kerberos_service_ticket_spike',
'Viele Kerberos-Service-Ticket-Anfragen. Kann auf Kerberoasting oder ungewöhnliche Service-Nutzung hindeuten.',
'medium',
'Security',
'4769',
'',
'',
'',
100,
300,
1800,
1
),
(
'v1_ntlm_authentication_spike',
'Viele NTLM-Authentifizierungen erkannt.',
'medium',
'Security',
'4776',
'',
'',
'',
50,
300,
1800,
1
),
(
'v1_logon_failed_spike',
'Viele fehlgeschlagene Logons.',
'medium',
'Security',
'4625',
'',
'',
'',
25,
300,
1800,
1
),
(
'v1_explicit_credentials_used',
'Anmeldung mit expliziten Anmeldeinformationen erkannt.',
'medium',
'Security',
'4648',
'',
'',
'',
1,
0,
900,
1
),
(
'v1_many_explicit_credentials_used',
'Viele Anmeldungen mit expliziten Anmeldeinformationen.',
'high',
'Security',
'4648',
'',
'',
'',
20,
300,
1800,
1
),
-- ============================================================
-- Dienste, Tasks, Persistenz
-- ============================================================
(
'v1_service_installed_security',
'Neuer Dienst laut Security Log installiert.',
'high',
'Security',
'4697',
'',
'',
'',
1,
0,
3600,
1
),
(
'v1_service_installed_system',
'Neuer Dienst laut System Log installiert.',
'high',
'System',
'7045',
'',
'',
'',
1,
0,
3600,
1
),
(
'v1_scheduled_task_created',
'Geplanter Task wurde erstellt.',
'high',
'Security',
'4698',
'',
'',
'',
1,
0,
3600,
1
),
(
'v1_scheduled_task_updated',
'Geplanter Task wurde geändert.',
'medium',
'Security',
'4702',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_scheduled_task_deleted',
'Geplanter Task wurde gelöscht.',
'medium',
'Security',
'4699',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_scheduled_task_enabled_disabled',
'Geplanter Task wurde aktiviert oder deaktiviert.',
'medium',
'Security',
'4700,4701',
'',
'',
'',
1,
0,
1800,
1
),
-- ============================================================
-- Prozess / PowerShell / Script Logging
-- Nur aktivieren, wenn diese Events bei dir tatsächlich gesammelt werden.
-- ============================================================
(
'v1_process_created',
'Neuer Prozess wurde erstellt. Nur sinnvoll bei aktiviertem Process Creation Auditing.',
'low',
'Security',
'4688',
'',
'',
'',
1,
0,
300,
0
),
(
'v1_suspicious_powershell_process',
'Verdächtiger PowerShell-Aufruf im Prozess-Event.',
'high',
'Security',
'4688',
'msg',
'contains',
'powershell',
1,
0,
1800,
0
),
(
'v1_powershell_script_block',
'PowerShell Script Block Logging Event erkannt.',
'medium',
'Windows PowerShell,Microsoft-Windows-PowerShell/Operational',
'4104',
'',
'',
'',
1,
0,
900,
0
),
(
'v1_suspicious_powershell_encodedcommand',
'PowerShell EncodedCommand erkannt.',
'high',
'Windows PowerShell,Microsoft-Windows-PowerShell/Operational,Security',
'4104,4688',
'msg',
'contains',
'EncodedCommand',
1,
0,
1800,
0
),
(
'v1_suspicious_powershell_downloadstring',
'PowerShell DownloadString erkannt.',
'high',
'Windows PowerShell,Microsoft-Windows-PowerShell/Operational,Security',
'4104,4688',
'msg',
'contains',
'DownloadString',
1,
0,
1800,
0
),
(
'v1_suspicious_powershell_iex',
'PowerShell Invoke-Expression / IEX erkannt.',
'high',
'Windows PowerShell,Microsoft-Windows-PowerShell/Operational,Security',
'4104,4688',
'msg',
'contains',
'Invoke-Expression',
1,
0,
1800,
0
),
-- ============================================================
-- GPO / AD Objektänderungen
-- Hinweis: 5136/5137/5141 kommen aus Directory Service Changes.
-- Dafür muss das passende Auditing auf DCs aktiv sein.
-- ============================================================
(
'v1_directory_object_modified',
'AD-Objekt wurde geändert.',
'medium',
'Security',
'5136',
'',
'',
'',
1,
0,
900,
0
),
(
'v1_directory_object_created',
'AD-Objekt wurde erstellt.',
'medium',
'Security',
'5137',
'',
'',
'',
1,
0,
900,
0
),
(
'v1_directory_object_deleted',
'AD-Objekt wurde gelöscht.',
'medium',
'Security',
'5141',
'',
'',
'',
1,
0,
1800,
0
),
(
'v1_gpo_changed',
'Mögliche GPO-Änderung erkannt.',
'high',
'Security',
'5136',
'msg',
'contains',
'CN=Policies,CN=System',
1,
0,
3600,
0
),
(
'v1_adminsdholder_changed',
'AdminSDHolder wurde geändert. Sehr sicherheitsrelevant.',
'high',
'Security',
'5136',
'msg',
'contains',
'CN=AdminSDHolder',
1,
0,
86400,
0
),
(
'v1_domain_root_changed',
'Domain-Root-Objekt wurde geändert.',
'high',
'Security',
'5136',
'msg',
'contains',
'DC=',
1,
0,
3600,
0
),
-- ============================================================
-- Objektzugriff / ACL
-- Hinweis: 4662/4670 brauchen passende SACLs.
-- ============================================================
(
'v1_object_permissions_changed',
'Berechtigungen eines Objekts wurden geändert.',
'high',
'Security',
'4670',
'',
'',
'',
1,
0,
3600,
0
),
(
'v1_directory_service_object_access',
'Directory-Service-Objektzugriff erkannt.',
'medium',
'Security',
'4662',
'',
'',
'',
10,
300,
1800,
0
),
-- ============================================================
-- Share / SMB / SYSVOL / administrative Zugriffe
-- Hinweis: Kann sehr laut werden.
-- ============================================================
(
'v1_network_share_accessed',
'Netzwerkfreigabe wurde genutzt.',
'low',
'Security',
'5140',
'',
'',
'',
50,
300,
900,
0
),
(
'v1_network_share_object_checked',
'Detaillierter Netzwerkfreigabezugriff erkannt.',
'low',
'Security',
'5145',
'',
'',
'',
100,
300,
900,
0
),
(
'v1_sysvol_access_spike',
'Viele Zugriffe auf SYSVOL erkannt.',
'low',
'Security',
'5140,5145',
'msg',
'contains',
'SYSVOL',
100,
300,
900,
0
),
(
'v1_admin_share_access',
'Zugriff auf administrative Freigabe erkannt.',
'medium',
'Security',
'5140,5145',
'msg',
'contains',
'ADMIN$',
1,
0,
1800,
0
),
(
'v1_c_share_access',
'Zugriff auf C$ erkannt.',
'medium',
'Security',
'5140,5145',
'msg',
'contains',
'C$',
1,
0,
1800,
0
),
-- ============================================================
-- System / Neustart / Agent-Kontext
-- ============================================================
(
'v1_system_startup',
'System wurde gestartet.',
'low',
'System',
'6005',
'',
'',
'',
1,
0,
300,
0
),
(
'v1_system_shutdown',
'System wurde heruntergefahren.',
'low',
'System',
'6006',
'',
'',
'',
1,
0,
300,
0
),
(
'v1_planned_shutdown_or_restart',
'Geplanter Shutdown oder Neustart erkannt.',
'low',
'System',
'1074',
'',
'',
'',
1,
0,
900,
1
),
(
'v1_unexpected_shutdown',
'Unerwarteter Shutdown erkannt.',
'medium',
'System',
'6008',
'',
'',
'',
1,
0,
1800,
1
),
(
'v1_reboot_spike_dynamic',
'Viele Neustart-/Shutdown-Events in kurzer Zeit.',
'medium',
'System',
'1074,6005,6006,6008',
'',
'',
'',
3,
900,
1800,
0
),
-- ============================================================
-- Windows Defender / Security Center
-- Event IDs können je nach Version/Quelle variieren.
-- ============================================================
(
'v1_defender_malware_detected',
'Microsoft Defender hat Malware erkannt.',
'high',
'Microsoft-Windows-Windows Defender/Operational',
'1116',
'',
'',
'',
1,
0,
3600,
0
),
(
'v1_defender_malware_remediated',
'Microsoft Defender hat Malware bereinigt.',
'medium',
'Microsoft-Windows-Windows Defender/Operational',
'1117',
'',
'',
'',
1,
0,
1800,
0
),
(
'v1_defender_action_failed',
'Microsoft Defender Aktion fehlgeschlagen.',
'high',
'Microsoft-Windows-Windows Defender/Operational',
'1118,1119',
'',
'',
'',
1,
0,
3600,
0
),
(
'v1_defender_disabled_or_config_changed',
'Defender-Konfiguration wurde geändert oder Schutz deaktiviert.',
'high',
'Microsoft-Windows-Windows Defender/Operational',
'5007,5013',
'',
'',
'',
1,
0,
3600,
0
),
-- ============================================================
-- Zertifikatsdienste / AD CS
-- Nur aktivieren, wenn AD CS vorhanden und Events gesammelt werden.
-- ============================================================
(
'v1_certificate_request_issued',
'Zertifikat wurde ausgestellt.',
'medium',
'Security',
'4886,4887',
'',
'',
'',
1,
0,
1800,
0
),
(
'v1_certificate_template_changed',
'Zertifikatstemplate wurde geändert.',
'high',
'Security',
'4898,4899,4900',
'',
'',
'',
1,
0,
86400,
0
),
(
'v1_cert_services_config_changed',
'AD-CS-Konfiguration wurde geändert.',
'high',
'Security',
'4882,4885,4890,4891,4892',
'',
'',
'',
1,
0,
86400,
0
),
(
'v2_security_log_cleared',
'Security Log wurde gelöscht. Sehr wahrscheinlich Spurenverwischung.',
'high',
'Security',
'1102',
'', '', '',
1, 0, 86400,
1
),
(
'v2_audit_policy_changed',
'Audit Policy wurde geändert.',
'high',
'Security',
'4719',
'', '', '',
1, 0, 3600,
1
),
(
'v2_system_audit_policy_changed',
'System Audit Policy wurde geändert.',
'high',
'Security',
'4902,4904,4905,4906,4907,4908,4912',
'', '', '',
1, 0, 3600,
1
),
-- ============================================================
-- PRIVILEGIERTE GRUPPEN (WICHTIGSTER BLOCK!)
-- ============================================================
(
'v2_privileged_group_member_added',
'Mitglied wurde zu privilegierter AD-Gruppe hinzugefügt.',
'high',
'Security',
'4728,4732,4756',
'target_user',
'in',
'Domain Admins,Enterprise Admins,Schema Admins,Administrators,DNSAdmins',
1, 0, 3600,
1
),
(
'v2_privileged_group_member_removed',
'Mitglied wurde aus privilegierter AD-Gruppe entfernt.',
'medium',
'Security',
'4729,4733,4757',
'target_user',
'in',
'Domain Admins,Enterprise Admins,Schema Admins,Administrators,DNSAdmins',
1, 0, 3600,
1
),
(
'v2_domain_admins_changed',
'Änderung an Domain Admins.',
'high',
'Security',
'4728,4729,4735,4737',
'target_user',
'eq',
'Domain Admins',
1, 0, 3600,
1
),
(
'v2_enterprise_admins_changed',
'Änderung an Enterprise Admins.',
'high',
'Security',
'4728,4729,4735,4737',
'target_user',
'eq',
'Enterprise Admins',
1, 0, 3600,
1
),
(
'v2_schema_admins_changed',
'Änderung an Schema Admins.',
'high',
'Security',
'4728,4729,4735,4737',
'target_user',
'eq',
'Schema Admins',
1, 0, 3600,
1
),
(
'v2_dnsadmins_changed',
'Änderung an DNSAdmins erkannt.',
'high',
'Security',
'4728,4729,4732,4733,4756,4757',
'target_user',
'eq',
'DNSAdmins',
1, 0, 3600,
1
),
-- ============================================================
-- USER MANAGEMENT
-- ============================================================
(
'v2_user_created',
'Neuer AD-Benutzer wurde erstellt.',
'medium',
'Security',
'4720',
'', '', '',
1, 0, 1800,
1
),
(
'v2_user_enabled',
'AD-Benutzer wurde aktiviert.',
'medium',
'Security',
'4722',
'', '', '',
1, 0, 1800,
1
),
(
'v2_user_deleted',
'AD-Benutzer wurde gelöscht.',
'medium',
'Security',
'4726',
'', '', '',
1, 0, 3600,
1
),
(
'v2_password_reset',
'Passwort wurde zurückgesetzt.',
'medium',
'Security',
'4724',
'', '', '',
1, 0, 1800,
1
),
-- ============================================================
-- AUTHENTIFIZIERUNG (ANOMALIEN)
-- ============================================================
(
'v2_account_lockout_spike',
'Viele Account Lockouts.',
'medium',
'Security',
'4740',
'', '', '',
5, 300, 1800,
1
),
(
'v2_kerberos_preauth_spike',
'Viele Kerberos PreAuth Fehler.',
'high',
'Security',
'4771',
'', '', '',
20, 300, 1800,
1
),
(
'v2_kerberos_service_ticket_spike',
'Viele Kerberos Service Tickets (Kerberoasting möglich).',
'medium',
'Security',
'4769',
'', '', '',
100, 300, 1800,
1
),
(
'v2_ntlm_authentication_spike',
'Viele NTLM Authentifizierungen.',
'medium',
'Security',
'4776',
'', '', '',
50, 300, 1800,
1
),
(
'v2_logon_failed_spike',
'Viele fehlgeschlagene Logons.',
'medium',
'Security',
'4625',
'', '', '',
25, 300, 1800,
1
),
(
'v2_many_explicit_credentials_used',
'Viele Logons mit expliziten Credentials.',
'high',
'Security',
'4648',
'', '', '',
20, 300, 1800,
1
),
-- ============================================================
-- PERSISTENZ / LATERAL MOVEMENT
-- ============================================================
(
'v2_service_installed_security',
'Neuer Dienst (Security Log).',
'high',
'Security',
'4697',
'', '', '',
1, 0, 3600,
1
),
(
'v2_service_installed_system',
'Neuer Dienst (System Log).',
'high',
'System',
'7045',
'', '', '',
1, 0, 3600,
1
),
(
'v2_scheduled_task_created',
'Scheduled Task erstellt.',
'high',
'Security',
'4698',
'', '', '',
1, 0, 3600,
1
),
(
'v2_scheduled_task_updated',
'Scheduled Task geändert.',
'medium',
'Security',
'4702',
'', '', '',
1, 0, 1800,
1
),
(
'v2_scheduled_task_deleted',
'Scheduled Task gelöscht.',
'medium',
'Security',
'4699',
'', '', '',
1, 0, 1800,
1
),
(
'v2_scheduled_task_enabled_disabled',
'Scheduled Task aktiviert/deaktiviert.',
'medium',
'Security',
'4700,4701',
'', '', '',
1, 0, 1800,
1
),
-- ============================================================
-- SYSTEM EVENTS
-- ============================================================
(
'v2_unexpected_shutdown',
'Unerwarteter Shutdown erkannt.',
'medium',
'System',
'6008',
'', '', '',
1, 0, 1800,
1
)
ON DUPLICATE KEY UPDATE
description = VALUES(description),
severity = VALUES(severity),
channel = VALUES(channel),
event_ids = VALUES(event_ids),
match_field = VALUES(match_field),
match_operator = VALUES(match_operator),
match_value = VALUES(match_value),
threshold_count = VALUES(threshold_count),
threshold_window_seconds = VALUES(threshold_window_seconds),
suppress_for_seconds = VALUES(suppress_for_seconds),
enabled = VALUES(enabled);
UPDATE detection_rules
SET enabled = 0
WHERE name LIKE 'v1_%';
-- ---------------------------------------------------------------------
-- Diagnose-Queries nach Restore
-- ---------------------------------------------------------------------
-- SELECT TABLE_NAME, PARTITION_NAME, PARTITION_DESCRIPTION, TABLE_ROWS
-- FROM information_schema.PARTITIONS
-- WHERE TABLE_SCHEMA = DATABASE()
-- AND TABLE_NAME IN ('event_logs', 'event_logs_raw')
-- ORDER BY TABLE_NAME, PARTITION_ORDINAL_POSITION;
--
-- SHOW INDEX FROM event_logs;
-- SHOW INDEX FROM event_logs_raw;
-- SHOW INDEX FROM detections;
Reference in New Issue View Git Blame Copy Permalink