Initial commit: StreamFlow IPTV platform

2025-12-17 00:42:43 +00:00 · 2025-12-17 00:42:43 +00:00 · 73a8ae9ffd
commit 73a8ae9ffd
1240 changed files with 278451 additions and 0 deletions
--- a/docs/SIEM_QUICK_REFERENCE.md
+++ b/docs/SIEM_QUICK_REFERENCE.md
@ -0,0 +1,243 @@
+# Active Security Monitoring - Quick Reference
+
+## Access
+
+**URL**: http://localhost:12345/security/intelligence
+
+**Permissions Required**:
+- View: `security.view_audit`
+- Manage: `security.manage`
+- Admin role required
+
+## Features
+
+### 1. Threat Score
+- Real-time threat level (0-100)
+- Color-coded: Green (0-19), Yellow (20-49), Orange (50-79), Red (80-100)
+- Auto-updates every 60 seconds
+
+### 2. Anomaly Detection
+**8 Detection Algorithms**:
+1. Brute Force Attacks (10 failures in 10 min)
+2. Account Enumeration (5 usernames in 5 min)
+3. Privilege Escalation (3 attempts in 30 min)
+4. Anomalous Access (off-hours 2-5 AM)
+5. Suspicious IPs (100+ requests in 60 min)
+6. Data Exfiltration (5 downloads in 30 min)
+7. Session Anomalies (5+ IPs in 24 hours)
+8. Rate Limit Abuse (5 blocks in 15 min)
+
+### 3. Real-time Alerts
+**6 Default Rules**:
+- RULE-BRUTE-FORCE (Critical, 10min cooldown)
+- RULE-PRIVILEGE-ESC (Critical, 5min cooldown)
+- RULE-DATA-EXFIL (High, 15min cooldown)
+- RULE-THREAT-CRITICAL (Critical, 30min cooldown)
+- RULE-SUSPICIOUS-IP (High, 20min cooldown)
+- RULE-SESSION-ANOMALY (Medium, 30min cooldown)
+
+### 4. Log Integrity
+- SHA-256 HMAC signatures on all logs
+- Tamper detection via "Verify Integrity" button
+- Cryptographic validation of log authenticity
+
+### 5. Threat Intelligence
+- Malicious IP addresses
+- Compromised user accounts
+- Attack patterns and indicators
+- Occurrence tracking
+
+## API Endpoints
+
+```bash
+# Query logs
+GET /api/siem/logs?limit=50&source=authentication
+
+# Verify integrity
+POST /api/siem/logs/verify
+
+# Get statistics
+GET /api/siem/statistics?timeRange=24
+
+# Export logs
+GET /api/siem/export?format=csv
+
+# Get anomalies
+GET /api/siem/anomalies?status=open&severity=critical
+
+# Resolve anomaly
+POST /api/siem/anomalies/:id/resolve
+Body: { "notes": "Resolved description" }
+
+# Get alerts
+GET /api/siem/alerts?status=active
+
+# Acknowledge alert
+POST /api/siem/alerts/:id/acknowledge
+
+# Resolve alert
+POST /api/siem/alerts/:id/resolve
+Body: { "notes": "Resolution details" }
+
+# Get threats
+GET /api/siem/threats?level=high
+
+# Dashboard data
+GET /api/siem/dashboard
+```
+
+## Configuration
+
+### Environment Variables
+
+```bash
+# Required: Log signature secret (32+ characters)
+LOG_SIGNATURE_SECRET=your-secret-key-here
+
+# Generate with:
+openssl rand -hex 32
+```
+
+### Database Tables
+
+- `aggregated_logs` - Central log repository (with signatures)
+- `security_anomalies` - Detected anomalies
+- `threat_intelligence` - Known threats
+- `security_alerts` - Active alerts
+- `alert_rules` - Alert configurations
+
+### Log Sources
+
+1. **authentication** (Critical, 365 days) - Login/logout events
+2. **authorization** (High, 365 days) - Permission checks
+3. **security_audit** (Critical, 365 days) - Security events
+4. **application** (Medium, 90 days) - App logs
+5. **system** (High, 180 days) - System events
+6. **access** (Low, 30 days) - Access logs
+
+## Usage Examples
+
+### View Recent Alerts
+1. Navigate to `/security/intelligence`
+2. Click "Alerts" tab
+3. Review active alerts
+4. Click "Acknowledge" for each alert
+5. Click eye icon to view details
+6. Add resolution notes and click "Resolve"
+
+### Check Log Integrity
+1. Click "Verify Integrity" button
+2. Wait for verification to complete
+3. Green notification = All logs valid
+4. Red notification = Tampering detected
+
+### Export Logs for Analysis
+1. Click "Export" button
+2. Logs download as CSV
+3. Open in Excel/spreadsheet software
+4. Analyze patterns and trends
+
+### Resolve Anomalies
+1. Navigate to "Anomalies" tab
+2. Click eye icon on anomaly
+3. Review details and pattern data
+4. Add resolution notes
+5. Click "Resolve" button
+
+### Monitor Threat Score
+- Green (0-19): Normal operations
+- Yellow (20-49): Elevated activity - monitor
+- Orange (50-79): High activity - investigate
+- Red (80-100): Critical - immediate action
+
+## Troubleshooting
+
+### High Threat Score
+**Problem**: Threat score above 80
+**Solution**: 
+1. Review open anomalies
+2. Resolve false positives
+3. Investigate critical alerts
+4. Check for active attacks
+
+### No Data Appearing
+**Problem**: Dashboard shows no logs/anomalies
+**Solution**:
+1. Check user permissions (`security.view_audit`)
+2. Verify backend is running: `docker logs streamflow`
+3. Check browser console for errors
+4. Try manual refresh
+
+### Log Tampering Detected
+**Problem**: "Integrity Compromised" warning
+**Solution**:
+1. Export tampered logs immediately
+2. Review forensic evidence
+3. Restore from backup if needed
+4. Investigate root cause
+5. Rotate `LOG_SIGNATURE_SECRET`
+
+### Container Won't Start
+**Problem**: Docker container restarting
+**Solution**:
+1. Check logs: `docker compose logs --tail=100`
+2. Verify `LOG_SIGNATURE_SECRET` is set
+3. Check database permissions
+4. Rebuild: `docker compose up -d --build`
+
+## Performance
+
+- **Auto-refresh**: 60 seconds
+- **Analysis cycle**: 60 seconds
+- **Buffer size**: 100 log entries
+- **Flush interval**: 5 seconds
+- **Query limit**: 100 entries (max 1000)
+
+## Security Best Practices
+
+1. **Rotate Secrets Regularly**
+   - Rotate `LOG_SIGNATURE_SECRET` quarterly
+   - Update all active logs after rotation
+
+2. **Review Alerts Daily**
+   - Check threat score each morning
+   - Acknowledge/resolve alerts promptly
+   - Investigate critical anomalies immediately
+
+3. **Export Logs Weekly**
+   - Backup to external SIEM
+   - Archive for compliance
+   - Long-term analysis
+
+4. **Monitor Trends**
+   - Track anomaly patterns
+   - Identify repeat offenders
+   - Adjust thresholds as needed
+
+5. **Maintain Clean Data**
+   - Resolve false positives
+   - Update alert rules
+   - Clean up old logs (automatic)
+
+## Compliance Mapping
+
+- **PCI-DSS Req 10**: Log aggregation, daily review, retention
+- **HIPAA § 164.312(b)**: Audit controls, activity examination
+- **SOX Section 404**: IT controls, audit trails
+- **GDPR Article 32**: Security monitoring, incident detection
+- **CWE-778**: Comprehensive logging implementation
+- **CWE-532**: Sensitive data protection in logs
+
+## Support
+
+For issues or questions:
+1. Check documentation: `/docs/SIEM_IMPLEMENTATION.md`
+2. Review backend logs: `docker logs streamflow`
+3. Verify API responses: Browser network tab
+4. Check permissions: User RBAC settings
+
+## Version
+
+- **Implementation**: December 2024
+- **Version**: 1.0.0
+- **Status**: Production Ready ✅