88 lines
3.8 KiB
SQL
88 lines
3.8 KiB
SQL
CREATE DATABASE IF NOT EXISTS eventcollector
|
|
CHARACTER SET utf8mb4
|
|
COLLATE utf8mb4_unicode_ci;
|
|
|
|
USE eventcollector;
|
|
|
|
CREATE TABLE IF NOT EXISTS agents (
|
|
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
|
|
hostname VARCHAR(255) NOT NULL,
|
|
api_key_hash CHAR(64) NOT NULL,
|
|
first_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
|
|
last_seen DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
|
|
last_ip VARCHAR(64) NOT NULL DEFAULT '',
|
|
is_enabled TINYINT(1) NOT NULL DEFAULT 1,
|
|
PRIMARY KEY (id),
|
|
UNIQUE KEY ux_agents_hostname (hostname),
|
|
KEY ix_agents_last_seen (last_seen)
|
|
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
|
|
|
|
CREATE TABLE IF NOT EXISTS event_logs (
|
|
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
|
|
agent_id BIGINT UNSIGNED NOT NULL,
|
|
hostname VARCHAR(255) NOT NULL,
|
|
channel_name VARCHAR(128) NOT NULL,
|
|
event_id INT UNSIGNED NOT NULL,
|
|
source VARCHAR(255) NOT NULL,
|
|
computer VARCHAR(255) NOT NULL DEFAULT '',
|
|
provider_name VARCHAR(255) NOT NULL DEFAULT '',
|
|
level_value INT UNSIGNED NOT NULL DEFAULT 0,
|
|
task_value INT UNSIGNED NOT NULL DEFAULT 0,
|
|
opcode_value INT UNSIGNED NOT NULL DEFAULT 0,
|
|
keywords VARCHAR(255) NOT NULL DEFAULT '',
|
|
target_user VARCHAR(255) NOT NULL DEFAULT '',
|
|
target_domain VARCHAR(255) NOT NULL DEFAULT '',
|
|
subject_user VARCHAR(255) NOT NULL DEFAULT '',
|
|
subject_domain VARCHAR(255) NOT NULL DEFAULT '',
|
|
workstation VARCHAR(255) NOT NULL DEFAULT '',
|
|
src_ip VARCHAR(64) NOT NULL DEFAULT '',
|
|
src_port VARCHAR(32) NOT NULL DEFAULT '',
|
|
logon_type VARCHAR(32) NOT NULL DEFAULT '',
|
|
process_name VARCHAR(512) NOT NULL DEFAULT '',
|
|
authentication_package VARCHAR(128) NOT NULL DEFAULT '',
|
|
logon_process VARCHAR(128) NOT NULL DEFAULT '',
|
|
status_text VARCHAR(64) NOT NULL DEFAULT '',
|
|
sub_status_text VARCHAR(64) NOT NULL DEFAULT '',
|
|
failure_reason VARCHAR(512) NOT NULL DEFAULT '',
|
|
ts DATETIME(6) NOT NULL,
|
|
received_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
|
|
msg LONGTEXT NOT NULL,
|
|
msg_sha256 CHAR(64) NOT NULL,
|
|
PRIMARY KEY (id),
|
|
KEY ix_event_logs_ts (ts),
|
|
KEY ix_event_logs_received_at (received_at),
|
|
KEY ix_event_logs_agent_ts (agent_id, ts),
|
|
KEY ix_event_logs_eventid_ts (event_id, ts),
|
|
KEY ix_event_logs_hostname_ts (hostname, ts),
|
|
KEY ix_event_logs_channel_event_ts (channel_name, event_id, ts),
|
|
KEY ix_event_logs_target_user_ts (target_user, ts),
|
|
KEY ix_event_logs_src_ip_ts (src_ip, ts),
|
|
KEY ix_event_logs_target_user_src_ip_ts (target_user, src_ip, ts),
|
|
KEY ix_event_logs_eventid_srcip_ts (event_id, src_ip, ts),
|
|
KEY ix_event_logs_eventid_targetuser_ts (event_id, target_user, ts),
|
|
KEY ix_event_logs_eventid_logontype_ts (event_id, logon_type, ts),
|
|
CONSTRAINT fk_event_logs_agent
|
|
FOREIGN KEY (agent_id) REFERENCES agents(id)
|
|
ON DELETE RESTRICT
|
|
ON UPDATE RESTRICT
|
|
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
|
|
|
|
CREATE TABLE IF NOT EXISTS detections (
|
|
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
|
|
rule_name VARCHAR(128) NOT NULL,
|
|
severity VARCHAR(32) NOT NULL,
|
|
hostname VARCHAR(255) NOT NULL,
|
|
channel_name VARCHAR(128) NOT NULL DEFAULT '',
|
|
event_id INT UNSIGNED NOT NULL DEFAULT 0,
|
|
score DOUBLE NOT NULL DEFAULT 0,
|
|
window_start DATETIME(6) NOT NULL,
|
|
window_end DATETIME(6) NOT NULL,
|
|
summary VARCHAR(512) NOT NULL,
|
|
details_json JSON NOT NULL,
|
|
created_at DATETIME(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
|
|
PRIMARY KEY (id),
|
|
UNIQUE KEY ux_detection_dedupe (rule_name, hostname, channel_name, event_id, window_start, window_end),
|
|
KEY ix_detections_created (created_at),
|
|
KEY ix_detections_rule_host_time (rule_name, hostname, created_at),
|
|
KEY ix_detections_severity_time (severity, created_at)
|
|
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci; |