101 lines
4.7 KiB
SQL
101 lines
4.7 KiB
SQL
CREATE DATABASE IF NOT EXISTS eventcollector
|
|
CHARACTER SET utf8mb4
|
|
COLLATE utf8mb4_unicode_ci;
|
|
|
|
USE eventcollector;
|
|
|
|
CREATE TABLE IF NOT EXISTS agents (
|
|
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
|
|
hostname VARCHAR(255) NOT NULL,
|
|
api_key_hash CHAR(64) NOT NULL,
|
|
first_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
|
|
last_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
|
|
last_ip VARCHAR(64) NOT NULL DEFAULT '',
|
|
is_enabled TINYINT(1) NOT NULL DEFAULT 1,
|
|
PRIMARY KEY (id),
|
|
UNIQUE KEY ux_agents_hostname (hostname),
|
|
KEY ix_agents_last_seen (last_seen)
|
|
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
|
|
|
|
CREATE TABLE IF NOT EXISTS event_logs (
|
|
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
|
|
agent_id BIGINT UNSIGNED NOT NULL,
|
|
hostname VARCHAR(255) NOT NULL,
|
|
channel_name VARCHAR(128) NOT NULL,
|
|
event_id INT UNSIGNED NOT NULL,
|
|
source VARCHAR(255) NOT NULL,
|
|
ts DATETIME(6) NOT NULL,
|
|
received_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
|
|
msg LONGTEXT NOT NULL,
|
|
msg_sha256 CHAR(64) NOT NULL,
|
|
PRIMARY KEY (id),
|
|
KEY ix_event_logs_ts (ts),
|
|
KEY ix_event_logs_received_at (received_at),
|
|
KEY ix_event_logs_agent_ts (agent_id, ts),
|
|
KEY ix_event_logs_eventid_ts (event_id, ts),
|
|
KEY ix_event_logs_hostname_ts (hostname, ts),
|
|
KEY ix_event_logs_channel_event_ts (channel_name, event_id, ts),
|
|
CONSTRAINT fk_event_logs_agent
|
|
FOREIGN KEY (agent_id) REFERENCES agents(id)
|
|
ON DELETE RESTRICT
|
|
ON UPDATE RESTRICT
|
|
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
|
|
|
|
CREATE TABLE IF NOT EXISTS detections (
|
|
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
|
|
rule_name VARCHAR(128) NOT NULL,
|
|
severity VARCHAR(32) NOT NULL,
|
|
hostname VARCHAR(255) NOT NULL,
|
|
channel_name VARCHAR(128) NOT NULL DEFAULT '',
|
|
event_id INT UNSIGNED NOT NULL DEFAULT 0,
|
|
score DOUBLE NOT NULL DEFAULT 0,
|
|
window_start DATETIME(6) NOT NULL,
|
|
window_end DATETIME(6) NOT NULL,
|
|
summary VARCHAR(512) NOT NULL,
|
|
details_json JSON NOT NULL,
|
|
created_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
|
|
PRIMARY KEY (id),
|
|
UNIQUE KEY ux_detection_dedupe (rule_name, hostname, channel_name, event_id, window_start, window_end),
|
|
KEY ix_detections_created (created_at),
|
|
KEY ix_detections_rule_host_time (rule_name, hostname, created_at),
|
|
KEY ix_detections_severity_time (severity, created_at)
|
|
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
|
|
|
|
USE eventcollector;
|
|
|
|
INSERT INTO agents (hostname, api_key_hash)
|
|
VALUES
|
|
('client01.domain.local', SHA2('SUPER-LANGER-AGENT-KEY-01', 256)),
|
|
('client02.domain.local', SHA2('SUPER-LANGER-AGENT-KEY-02', 256));
|
|
|
|
#V2
|
|
|
|
ALTER TABLE event_logs
|
|
ADD COLUMN computer VARCHAR(255) NOT NULL DEFAULT '' AFTER source,
|
|
ADD COLUMN provider_name VARCHAR(255) NOT NULL DEFAULT '' AFTER computer,
|
|
ADD COLUMN level_value INT UNSIGNED NOT NULL DEFAULT 0 AFTER provider_name,
|
|
ADD COLUMN task_value INT UNSIGNED NOT NULL DEFAULT 0 AFTER level_value,
|
|
ADD COLUMN opcode_value INT UNSIGNED NOT NULL DEFAULT 0 AFTER task_value,
|
|
ADD COLUMN keywords VARCHAR(255) NOT NULL DEFAULT '' AFTER opcode_value,
|
|
ADD COLUMN target_user VARCHAR(255) NOT NULL DEFAULT '' AFTER keywords,
|
|
ADD COLUMN target_domain VARCHAR(255) NOT NULL DEFAULT '' AFTER target_user,
|
|
ADD COLUMN subject_user VARCHAR(255) NOT NULL DEFAULT '' AFTER target_domain,
|
|
ADD COLUMN subject_domain VARCHAR(255) NOT NULL DEFAULT '' AFTER subject_user,
|
|
ADD COLUMN workstation VARCHAR(255) NOT NULL DEFAULT '' AFTER subject_domain,
|
|
ADD COLUMN src_ip VARCHAR(64) NOT NULL DEFAULT '' AFTER workstation,
|
|
ADD COLUMN src_port VARCHAR(32) NOT NULL DEFAULT '' AFTER src_ip,
|
|
ADD COLUMN logon_type VARCHAR(32) NOT NULL DEFAULT '' AFTER src_port,
|
|
ADD COLUMN process_name VARCHAR(512) NOT NULL DEFAULT '' AFTER logon_type,
|
|
ADD COLUMN authentication_package VARCHAR(128) NOT NULL DEFAULT '' AFTER process_name,
|
|
ADD COLUMN logon_process VARCHAR(128) NOT NULL DEFAULT '' AFTER authentication_package,
|
|
ADD COLUMN status_text VARCHAR(64) NOT NULL DEFAULT '' AFTER logon_process,
|
|
ADD COLUMN sub_status_text VARCHAR(64) NOT NULL DEFAULT '' AFTER status_text,
|
|
ADD COLUMN failure_reason VARCHAR(512) NOT NULL DEFAULT '' AFTER sub_status_text;
|
|
|
|
ALTER TABLE event_logs
|
|
ADD KEY ix_event_logs_target_user_ts (target_user, ts),
|
|
ADD KEY ix_event_logs_src_ip_ts (src_ip, ts),
|
|
ADD KEY ix_event_logs_target_user_src_ip_ts (target_user, src_ip, ts),
|
|
ADD KEY ix_event_logs_eventid_srcip_ts (event_id, src_ip, ts),
|
|
ADD KEY ix_event_logs_eventid_targetuser_ts (event_id, target_user, ts),
|
|
ADD KEY ix_event_logs_eventid_logontype_ts (event_id, logon_type, ts); |