streamflow/docs/SIEM_QUICK_REFERENCE.md

# Active Security Monitoring - Quick Reference

## Access

**URL**: http://localhost:12345/security/intelligence

**Permissions Required**:
- View: `security.view_audit`
- Manage: `security.manage`
- Admin role required

## Features

### 1. Threat Score
- Real-time threat level (0-100)
- Color-coded: Green (0-19), Yellow (20-49), Orange (50-79), Red (80-100)
- Auto-updates every 60 seconds

### 2. Anomaly Detection
**8 Detection Algorithms**:
1. Brute Force Attacks (10 failures in 10 min)
2. Account Enumeration (5 usernames in 5 min)
3. Privilege Escalation (3 attempts in 30 min)
4. Anomalous Access (off-hours 2-5 AM)
5. Suspicious IPs (100+ requests in 60 min)
6. Data Exfiltration (5 downloads in 30 min)
7. Session Anomalies (5+ IPs in 24 hours)
8. Rate Limit Abuse (5 blocks in 15 min)

### 3. Real-time Alerts
**6 Default Rules**:
- RULE-BRUTE-FORCE (Critical, 10min cooldown)
- RULE-PRIVILEGE-ESC (Critical, 5min cooldown)
- RULE-DATA-EXFIL (High, 15min cooldown)
- RULE-THREAT-CRITICAL (Critical, 30min cooldown)
- RULE-SUSPICIOUS-IP (High, 20min cooldown)
- RULE-SESSION-ANOMALY (Medium, 30min cooldown)

### 4. Log Integrity
- SHA-256 HMAC signatures on all logs
- Tamper detection via "Verify Integrity" button
- Cryptographic validation of log authenticity

### 5. Threat Intelligence
- Malicious IP addresses
- Compromised user accounts
- Attack patterns and indicators
- Occurrence tracking

## API Endpoints

```bash
# Query logs
GET /api/siem/logs?limit=50&source=authentication

# Verify integrity
POST /api/siem/logs/verify

# Get statistics
GET /api/siem/statistics?timeRange=24

# Export logs
GET /api/siem/export?format=csv

# Get anomalies
GET /api/siem/anomalies?status=open&severity=critical

# Resolve anomaly
POST /api/siem/anomalies/:id/resolve
Body: { "notes": "Resolved description" }

# Get alerts
GET /api/siem/alerts?status=active

# Acknowledge alert
POST /api/siem/alerts/:id/acknowledge

# Resolve alert
POST /api/siem/alerts/:id/resolve
Body: { "notes": "Resolution details" }

# Get threats
GET /api/siem/threats?level=high

# Dashboard data
GET /api/siem/dashboard
```

## Configuration

### Environment Variables

```bash
# Required: Log signature secret (32+ characters)
LOG_SIGNATURE_SECRET=your-secret-key-here

# Generate with:
openssl rand -hex 32
```

### Database Tables

- `aggregated_logs` - Central log repository (with signatures)
- `security_anomalies` - Detected anomalies
- `threat_intelligence` - Known threats
- `security_alerts` - Active alerts
- `alert_rules` - Alert configurations

### Log Sources

1. **authentication** (Critical, 365 days) - Login/logout events
2. **authorization** (High, 365 days) - Permission checks
3. **security_audit** (Critical, 365 days) - Security events
4. **application** (Medium, 90 days) - App logs
5. **system** (High, 180 days) - System events
6. **access** (Low, 30 days) - Access logs

## Usage Examples

### View Recent Alerts
1. Navigate to `/security/intelligence`
2. Click "Alerts" tab
3. Review active alerts
4. Click "Acknowledge" for each alert
5. Click eye icon to view details
6. Add resolution notes and click "Resolve"

### Check Log Integrity
1. Click "Verify Integrity" button
2. Wait for verification to complete
3. Green notification = All logs valid
4. Red notification = Tampering detected

### Export Logs for Analysis
1. Click "Export" button
2. Logs download as CSV
3. Open in Excel/spreadsheet software
4. Analyze patterns and trends

### Resolve Anomalies
1. Navigate to "Anomalies" tab
2. Click eye icon on anomaly
3. Review details and pattern data
4. Add resolution notes
5. Click "Resolve" button

### Monitor Threat Score
- Green (0-19): Normal operations
- Yellow (20-49): Elevated activity - monitor
- Orange (50-79): High activity - investigate
- Red (80-100): Critical - immediate action

## Troubleshooting

### High Threat Score
**Problem**: Threat score above 80
**Solution**: 
1. Review open anomalies
2. Resolve false positives
3. Investigate critical alerts
4. Check for active attacks

### No Data Appearing
**Problem**: Dashboard shows no logs/anomalies
**Solution**:
1. Check user permissions (`security.view_audit`)
2. Verify backend is running: `docker logs streamflow`
3. Check browser console for errors
4. Try manual refresh

### Log Tampering Detected
**Problem**: "Integrity Compromised" warning
**Solution**:
1. Export tampered logs immediately
2. Review forensic evidence
3. Restore from backup if needed
4. Investigate root cause
5. Rotate `LOG_SIGNATURE_SECRET`

### Container Won't Start
**Problem**: Docker container restarting
**Solution**:
1. Check logs: `docker compose logs --tail=100`
2. Verify `LOG_SIGNATURE_SECRET` is set
3. Check database permissions
4. Rebuild: `docker compose up -d --build`

## Performance

- **Auto-refresh**: 60 seconds
- **Analysis cycle**: 60 seconds
- **Buffer size**: 100 log entries
- **Flush interval**: 5 seconds
- **Query limit**: 100 entries (max 1000)

## Security Best Practices

1. **Rotate Secrets Regularly**
   - Rotate `LOG_SIGNATURE_SECRET` quarterly
   - Update all active logs after rotation

2. **Review Alerts Daily**
   - Check threat score each morning
   - Acknowledge/resolve alerts promptly
   - Investigate critical anomalies immediately

3. **Export Logs Weekly**
   - Backup to external SIEM
   - Archive for compliance
   - Long-term analysis

4. **Monitor Trends**
   - Track anomaly patterns
   - Identify repeat offenders
   - Adjust thresholds as needed

5. **Maintain Clean Data**
   - Resolve false positives
   - Update alert rules
   - Clean up old logs (automatic)

## Compliance Mapping

- **PCI-DSS Req 10**: Log aggregation, daily review, retention
- **HIPAA § 164.312(b)**: Audit controls, activity examination
- **SOX Section 404**: IT controls, audit trails
- **GDPR Article 32**: Security monitoring, incident detection
- **CWE-778**: Comprehensive logging implementation
- **CWE-532**: Sensitive data protection in logs

## Support

For issues or questions:
1. Check documentation: `/docs/SIEM_IMPLEMENTATION.md`
2. Review backend logs: `docker logs streamflow`
3. Verify API responses: Browser network tab
4. Check permissions: User RBAC settings

## Version

- **Implementation**: December 2024
- **Version**: 1.0.0
- **Status**: Production Ready ✅
Initial commit: StreamFlow IPTV platform 2025-12-17 00:42:43 +00:00			`# Active Security Monitoring - Quick Reference`

			`## Access`

			`URL: http://localhost:12345/security/intelligence`

			`Permissions Required:`
			- View: `security.view_audit`
			- Manage: `security.manage`
			`- Admin role required`

			`## Features`

			`### 1. Threat Score`
			`- Real-time threat level (0-100)`
			`- Color-coded: Green (0-19), Yellow (20-49), Orange (50-79), Red (80-100)`
			`- Auto-updates every 60 seconds`

			`### 2. Anomaly Detection`
			`8 Detection Algorithms:`
			`1. Brute Force Attacks (10 failures in 10 min)`
			`2. Account Enumeration (5 usernames in 5 min)`
			`3. Privilege Escalation (3 attempts in 30 min)`
			`4. Anomalous Access (off-hours 2-5 AM)`
			`5. Suspicious IPs (100+ requests in 60 min)`
			`6. Data Exfiltration (5 downloads in 30 min)`
			`7. Session Anomalies (5+ IPs in 24 hours)`
			`8. Rate Limit Abuse (5 blocks in 15 min)`

			`### 3. Real-time Alerts`
			`6 Default Rules:`
			`- RULE-BRUTE-FORCE (Critical, 10min cooldown)`
			`- RULE-PRIVILEGE-ESC (Critical, 5min cooldown)`
			`- RULE-DATA-EXFIL (High, 15min cooldown)`
			`- RULE-THREAT-CRITICAL (Critical, 30min cooldown)`
			`- RULE-SUSPICIOUS-IP (High, 20min cooldown)`
			`- RULE-SESSION-ANOMALY (Medium, 30min cooldown)`

			`### 4. Log Integrity`
			`- SHA-256 HMAC signatures on all logs`
			`- Tamper detection via "Verify Integrity" button`
			`- Cryptographic validation of log authenticity`

			`### 5. Threat Intelligence`
			`- Malicious IP addresses`
			`- Compromised user accounts`
			`- Attack patterns and indicators`
			`- Occurrence tracking`

			`## API Endpoints`

			```bash
			`# Query logs`
			`GET /api/siem/logs?limit=50&source=authentication`

			`# Verify integrity`
			`POST /api/siem/logs/verify`

			`# Get statistics`
			`GET /api/siem/statistics?timeRange=24`

			`# Export logs`
			`GET /api/siem/export?format=csv`

			`# Get anomalies`
			`GET /api/siem/anomalies?status=open&severity=critical`

			`# Resolve anomaly`
			`POST /api/siem/anomalies/:id/resolve`
			`Body: { "notes": "Resolved description" }`

			`# Get alerts`
			`GET /api/siem/alerts?status=active`

			`# Acknowledge alert`
			`POST /api/siem/alerts/:id/acknowledge`

			`# Resolve alert`
			`POST /api/siem/alerts/:id/resolve`
			`Body: { "notes": "Resolution details" }`

			`# Get threats`
			`GET /api/siem/threats?level=high`

			`# Dashboard data`
			`GET /api/siem/dashboard`
			```

			`## Configuration`

			`### Environment Variables`

			```bash
			`# Required: Log signature secret (32+ characters)`
			`LOG_SIGNATURE_SECRET=your-secret-key-here`

			`# Generate with:`
			`openssl rand -hex 32`
			```

			`### Database Tables`

			- `aggregated_logs` - Central log repository (with signatures)
			- `security_anomalies` - Detected anomalies
			- `threat_intelligence` - Known threats
			- `security_alerts` - Active alerts
			- `alert_rules` - Alert configurations

			`### Log Sources`

			`1. authentication (Critical, 365 days) - Login/logout events`
			`2. authorization (High, 365 days) - Permission checks`
			`3. security_audit (Critical, 365 days) - Security events`
			`4. application (Medium, 90 days) - App logs`
			`5. system (High, 180 days) - System events`
			`6. access (Low, 30 days) - Access logs`

			`## Usage Examples`

			`### View Recent Alerts`
			1. Navigate to `/security/intelligence`
			`2. Click "Alerts" tab`
			`3. Review active alerts`
			`4. Click "Acknowledge" for each alert`
			`5. Click eye icon to view details`
			`6. Add resolution notes and click "Resolve"`

			`### Check Log Integrity`
			`1. Click "Verify Integrity" button`
			`2. Wait for verification to complete`
			`3. Green notification = All logs valid`
			`4. Red notification = Tampering detected`

			`### Export Logs for Analysis`
			`1. Click "Export" button`
			`2. Logs download as CSV`
			`3. Open in Excel/spreadsheet software`
			`4. Analyze patterns and trends`

			`### Resolve Anomalies`
			`1. Navigate to "Anomalies" tab`
			`2. Click eye icon on anomaly`
			`3. Review details and pattern data`
			`4. Add resolution notes`
			`5. Click "Resolve" button`

			`### Monitor Threat Score`
			`- Green (0-19): Normal operations`
			`- Yellow (20-49): Elevated activity - monitor`
			`- Orange (50-79): High activity - investigate`
			`- Red (80-100): Critical - immediate action`

			`## Troubleshooting`

			`### High Threat Score`
			`Problem: Threat score above 80`
			`Solution:`
			`1. Review open anomalies`
			`2. Resolve false positives`
			`3. Investigate critical alerts`
			`4. Check for active attacks`

			`### No Data Appearing`
			`Problem: Dashboard shows no logs/anomalies`
			`Solution:`
			1. Check user permissions (`security.view_audit`)
			2. Verify backend is running: `docker logs streamflow`
			`3. Check browser console for errors`
			`4. Try manual refresh`

			`### Log Tampering Detected`
			`Problem: "Integrity Compromised" warning`
			`Solution:`
			`1. Export tampered logs immediately`
			`2. Review forensic evidence`
			`3. Restore from backup if needed`
			`4. Investigate root cause`
			5. Rotate `LOG_SIGNATURE_SECRET`

			`### Container Won't Start`
			`Problem: Docker container restarting`
			`Solution:`
			1. Check logs: `docker compose logs --tail=100`
			2. Verify `LOG_SIGNATURE_SECRET` is set
			`3. Check database permissions`
			4. Rebuild: `docker compose up -d --build`

			`## Performance`

			`- Auto-refresh: 60 seconds`
			`- Analysis cycle: 60 seconds`
			`- Buffer size: 100 log entries`
			`- Flush interval: 5 seconds`
			`- Query limit: 100 entries (max 1000)`

			`## Security Best Practices`

			`1. Rotate Secrets Regularly`
			- Rotate `LOG_SIGNATURE_SECRET` quarterly
			`- Update all active logs after rotation`

			`2. Review Alerts Daily`
			`- Check threat score each morning`
			`- Acknowledge/resolve alerts promptly`
			`- Investigate critical anomalies immediately`

			`3. Export Logs Weekly`
			`- Backup to external SIEM`
			`- Archive for compliance`
			`- Long-term analysis`

			`4. Monitor Trends`
			`- Track anomaly patterns`
			`- Identify repeat offenders`
			`- Adjust thresholds as needed`

			`5. Maintain Clean Data`
			`- Resolve false positives`
			`- Update alert rules`
			`- Clean up old logs (automatic)`

			`## Compliance Mapping`

			`- PCI-DSS Req 10: Log aggregation, daily review, retention`
			`- HIPAA § 164.312(b): Audit controls, activity examination`
			`- SOX Section 404: IT controls, audit trails`
			`- GDPR Article 32: Security monitoring, incident detection`
			`- CWE-778: Comprehensive logging implementation`
			`- CWE-532: Sensitive data protection in logs`

			`## Support`

			`For issues or questions:`
			1. Check documentation: `/docs/SIEM_IMPLEMENTATION.md`
			2. Review backend logs: `docker logs streamflow`
			`3. Verify API responses: Browser network tab`
			`4. Check permissions: User RBAC settings`

			`## Version`

			`- Implementation: December 2024`
			`- Version: 1.0.0`
			`- Status: Production Ready ✅`