# Active Security Monitoring - Quick Reference ## Access **URL**: http://localhost:12345/security/intelligence **Permissions Required**: - View: `security.view_audit` - Manage: `security.manage` - Admin role required ## Features ### 1. Threat Score - Real-time threat level (0-100) - Color-coded: Green (0-19), Yellow (20-49), Orange (50-79), Red (80-100) - Auto-updates every 60 seconds ### 2. Anomaly Detection **8 Detection Algorithms**: 1. Brute Force Attacks (10 failures in 10 min) 2. Account Enumeration (5 usernames in 5 min) 3. Privilege Escalation (3 attempts in 30 min) 4. Anomalous Access (off-hours 2-5 AM) 5. Suspicious IPs (100+ requests in 60 min) 6. Data Exfiltration (5 downloads in 30 min) 7. Session Anomalies (5+ IPs in 24 hours) 8. Rate Limit Abuse (5 blocks in 15 min) ### 3. Real-time Alerts **6 Default Rules**: - RULE-BRUTE-FORCE (Critical, 10min cooldown) - RULE-PRIVILEGE-ESC (Critical, 5min cooldown) - RULE-DATA-EXFIL (High, 15min cooldown) - RULE-THREAT-CRITICAL (Critical, 30min cooldown) - RULE-SUSPICIOUS-IP (High, 20min cooldown) - RULE-SESSION-ANOMALY (Medium, 30min cooldown) ### 4. Log Integrity - SHA-256 HMAC signatures on all logs - Tamper detection via "Verify Integrity" button - Cryptographic validation of log authenticity ### 5. Threat Intelligence - Malicious IP addresses - Compromised user accounts - Attack patterns and indicators - Occurrence tracking ## API Endpoints ```bash # Query logs GET /api/siem/logs?limit=50&source=authentication # Verify integrity POST /api/siem/logs/verify # Get statistics GET /api/siem/statistics?timeRange=24 # Export logs GET /api/siem/export?format=csv # Get anomalies GET /api/siem/anomalies?status=open&severity=critical # Resolve anomaly POST /api/siem/anomalies/:id/resolve Body: { "notes": "Resolved description" } # Get alerts GET /api/siem/alerts?status=active # Acknowledge alert POST /api/siem/alerts/:id/acknowledge # Resolve alert POST /api/siem/alerts/:id/resolve Body: { "notes": "Resolution details" } # Get threats GET /api/siem/threats?level=high # Dashboard data GET /api/siem/dashboard ``` ## Configuration ### Environment Variables ```bash # Required: Log signature secret (32+ characters) LOG_SIGNATURE_SECRET=your-secret-key-here # Generate with: openssl rand -hex 32 ``` ### Database Tables - `aggregated_logs` - Central log repository (with signatures) - `security_anomalies` - Detected anomalies - `threat_intelligence` - Known threats - `security_alerts` - Active alerts - `alert_rules` - Alert configurations ### Log Sources 1. **authentication** (Critical, 365 days) - Login/logout events 2. **authorization** (High, 365 days) - Permission checks 3. **security_audit** (Critical, 365 days) - Security events 4. **application** (Medium, 90 days) - App logs 5. **system** (High, 180 days) - System events 6. **access** (Low, 30 days) - Access logs ## Usage Examples ### View Recent Alerts 1. Navigate to `/security/intelligence` 2. Click "Alerts" tab 3. Review active alerts 4. Click "Acknowledge" for each alert 5. Click eye icon to view details 6. Add resolution notes and click "Resolve" ### Check Log Integrity 1. Click "Verify Integrity" button 2. Wait for verification to complete 3. Green notification = All logs valid 4. Red notification = Tampering detected ### Export Logs for Analysis 1. Click "Export" button 2. Logs download as CSV 3. Open in Excel/spreadsheet software 4. Analyze patterns and trends ### Resolve Anomalies 1. Navigate to "Anomalies" tab 2. Click eye icon on anomaly 3. Review details and pattern data 4. Add resolution notes 5. Click "Resolve" button ### Monitor Threat Score - Green (0-19): Normal operations - Yellow (20-49): Elevated activity - monitor - Orange (50-79): High activity - investigate - Red (80-100): Critical - immediate action ## Troubleshooting ### High Threat Score **Problem**: Threat score above 80 **Solution**: 1. Review open anomalies 2. Resolve false positives 3. Investigate critical alerts 4. Check for active attacks ### No Data Appearing **Problem**: Dashboard shows no logs/anomalies **Solution**: 1. Check user permissions (`security.view_audit`) 2. Verify backend is running: `docker logs streamflow` 3. Check browser console for errors 4. Try manual refresh ### Log Tampering Detected **Problem**: "Integrity Compromised" warning **Solution**: 1. Export tampered logs immediately 2. Review forensic evidence 3. Restore from backup if needed 4. Investigate root cause 5. Rotate `LOG_SIGNATURE_SECRET` ### Container Won't Start **Problem**: Docker container restarting **Solution**: 1. Check logs: `docker compose logs --tail=100` 2. Verify `LOG_SIGNATURE_SECRET` is set 3. Check database permissions 4. Rebuild: `docker compose up -d --build` ## Performance - **Auto-refresh**: 60 seconds - **Analysis cycle**: 60 seconds - **Buffer size**: 100 log entries - **Flush interval**: 5 seconds - **Query limit**: 100 entries (max 1000) ## Security Best Practices 1. **Rotate Secrets Regularly** - Rotate `LOG_SIGNATURE_SECRET` quarterly - Update all active logs after rotation 2. **Review Alerts Daily** - Check threat score each morning - Acknowledge/resolve alerts promptly - Investigate critical anomalies immediately 3. **Export Logs Weekly** - Backup to external SIEM - Archive for compliance - Long-term analysis 4. **Monitor Trends** - Track anomaly patterns - Identify repeat offenders - Adjust thresholds as needed 5. **Maintain Clean Data** - Resolve false positives - Update alert rules - Clean up old logs (automatic) ## Compliance Mapping - **PCI-DSS Req 10**: Log aggregation, daily review, retention - **HIPAA § 164.312(b)**: Audit controls, activity examination - **SOX Section 404**: IT controls, audit trails - **GDPR Article 32**: Security monitoring, incident detection - **CWE-778**: Comprehensive logging implementation - **CWE-532**: Sensitive data protection in logs ## Support For issues or questions: 1. Check documentation: `/docs/SIEM_IMPLEMENTATION.md` 2. Review backend logs: `docker logs streamflow` 3. Verify API responses: Browser network tab 4. Check permissions: User RBAC settings ## Version - **Implementation**: December 2024 - **Version**: 1.0.0 - **Status**: Production Ready ✅