jbergner
b86a4844f7
All checks were successful
release-tag / release-image (push) Successful in 2m23s
132 lines
4.8 KiB
YAML
132 lines
4.8 KiB
YAML
groups:
|
|
- name: siem-backend-availability
|
|
rules:
|
|
- alert: SiemBackendDown
|
|
expr: up{job="siem-backend"} == 0
|
|
for: 2m
|
|
labels:
|
|
severity: critical
|
|
annotations:
|
|
summary: "SIEM backend nicht erreichbar"
|
|
description: "Prometheus kann das SIEM-Backend seit mindestens 2 Minuten nicht scrapen."
|
|
|
|
- alert: SiemNoIngestEvents
|
|
expr: sum(rate(eventcollector_ingest_events_total[15m])) == 0
|
|
for: 15m
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: "Keine eingehenden SIEM Events"
|
|
description: "Seit mindestens 15 Minuten wurden keine Events mehr ingestiert."
|
|
|
|
- alert: SiemTooFewActiveAgents
|
|
expr: eventcollector_active_agents < 1
|
|
for: 5m
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: "Zu wenige aktive Agents"
|
|
description: "Es wurden weniger aktive Agents erkannt als erwartet."
|
|
|
|
- alert: SiemCriticalDetections
|
|
expr: increase(eventcollector_detection_hits_total{severity="critical"}[5m]) > 0
|
|
for: 1m
|
|
labels:
|
|
severity: critical
|
|
annotations:
|
|
summary: "Neue Critical Detection"
|
|
description: "Es wurde mindestens eine Critical-Detection erzeugt."
|
|
|
|
- alert: SiemHighDetections
|
|
expr: increase(eventcollector_detection_hits_total{severity="high"}[5m]) > 0
|
|
for: 1m
|
|
labels:
|
|
severity: high
|
|
annotations:
|
|
summary: "Neue High-Severity Detection"
|
|
description: "Es wurde mindestens eine High-Severity-Detection erzeugt."
|
|
|
|
- alert: SiemManyMediumDetections
|
|
expr: sum(increase(eventcollector_detection_hits_total{severity="medium"}[15m])) > 10
|
|
for: 2m
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: "Viele Medium-Detections"
|
|
description: "Es wurden mehr als 10 Medium-Detections in 15 Minuten erzeugt."
|
|
|
|
- alert: SiemBaselineHighAnomaly
|
|
expr: eventcollector_anomaly_score{rule="baseline_event_rate_anomaly"} >= 5
|
|
for: 2m
|
|
labels:
|
|
severity: high
|
|
annotations:
|
|
summary: "Hohe Baseline-Anomalie"
|
|
description: "Host {{ $labels.host }} hat einen hohen Baseline-Z-Score: {{ $value }}."
|
|
|
|
- alert: SiemBaselineMediumAnomaly
|
|
expr: eventcollector_anomaly_score{rule="baseline_event_rate_anomaly"} >= 3
|
|
for: 5m
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: "Baseline-Anomalie"
|
|
description: "Host {{ $labels.host }} hat einen erhöhten Baseline-Z-Score: {{ $value }}."
|
|
|
|
- alert: SiemRuleErrors
|
|
expr: increase(eventcollector_rule_errors_total[5m]) > 0
|
|
for: 1m
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: "Fehler in Detection-Regeln"
|
|
description: "Mindestens eine Detection-Regel hat in den letzten 5 Minuten einen Fehler erzeugt."
|
|
|
|
- name: siem-backend-ingest
|
|
rules:
|
|
- alert: SiemIngestRejected
|
|
expr: sum(increase(eventcollector_ingest_rejected_total[5m])) > 0
|
|
for: 1m
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: "Ingest Requests abgelehnt"
|
|
description: "In den letzten 5 Minuten wurden Ingest Requests abgelehnt."
|
|
|
|
- alert: SiemDBInsertFailures
|
|
expr: increase(eventcollector_db_insert_failures_total[5m]) > 0
|
|
for: 1m
|
|
labels:
|
|
severity: high
|
|
annotations:
|
|
summary: "DB Insert Fehler"
|
|
description: "Das SIEM-Backend konnte Events nicht in die Datenbank schreiben."
|
|
|
|
- alert: SiemHighIngestRate
|
|
expr: sum(rate(eventcollector_ingest_events_total[5m])) > 500
|
|
for: 5m
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: "Sehr hohe Eventrate"
|
|
description: "Die Eventrate liegt seit 5 Minuten über 500 Events/s."
|
|
|
|
- name: siem-backend-baseline
|
|
rules:
|
|
- alert: SiemBaselineNotEnoughSamples
|
|
expr: eventcollector_baseline_sample_count > 0 and eventcollector_baseline_sample_count < 24
|
|
for: 30m
|
|
labels:
|
|
severity: info
|
|
annotations:
|
|
summary: "Baseline lernt noch"
|
|
description: "Für {{ $labels.host }} / {{ $labels.channel }} / {{ $labels.event_id }} gibt es erst {{ $value }} Samples."
|
|
|
|
- alert: SiemBaselineCurrentFarAboveAverage
|
|
expr: eventcollector_baseline_avg_count > 0 and (eventcollector_baseline_current_count / eventcollector_baseline_avg_count) > 10
|
|
for: 2m
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: "Eventrate deutlich über Baseline"
|
|
description: "{{ $labels.host }} / {{ $labels.channel }} / {{ $labels.event_id }} liegt mehr als 10x über Durchschnitt." |