streamflow/docs/SIEM_QUICK_REFERENCE.md

Active Security Monitoring - Quick Reference

Access

URL: http://localhost:12345/security/intelligence

Permissions Required:

• View: security.view_audit
• Manage: security.manage
• Admin role required

Features

1. Threat Score

• Real-time threat level (0-100)
• Color-coded: Green (0-19), Yellow (20-49), Orange (50-79), Red (80-100)
• Auto-updates every 60 seconds

2. Anomaly Detection

8 Detection Algorithms:

1. Brute Force Attacks (10 failures in 10 min)
2. Account Enumeration (5 usernames in 5 min)
3. Privilege Escalation (3 attempts in 30 min)
4. Anomalous Access (off-hours 2-5 AM)
5. Suspicious IPs (100+ requests in 60 min)
6. Data Exfiltration (5 downloads in 30 min)
7. Session Anomalies (5+ IPs in 24 hours)
8. Rate Limit Abuse (5 blocks in 15 min)

3. Real-time Alerts

6 Default Rules:

• RULE-BRUTE-FORCE (Critical, 10min cooldown)
• RULE-PRIVILEGE-ESC (Critical, 5min cooldown)
• RULE-DATA-EXFIL (High, 15min cooldown)
• RULE-THREAT-CRITICAL (Critical, 30min cooldown)
• RULE-SUSPICIOUS-IP (High, 20min cooldown)
• RULE-SESSION-ANOMALY (Medium, 30min cooldown)

4. Log Integrity

• SHA-256 HMAC signatures on all logs
• Tamper detection via "Verify Integrity" button
• Cryptographic validation of log authenticity

5. Threat Intelligence

• Malicious IP addresses
• Compromised user accounts
• Attack patterns and indicators
• Occurrence tracking

API Endpoints

# Query logs
GET /api/siem/logs?limit=50&source=authentication

# Verify integrity
POST /api/siem/logs/verify

# Get statistics
GET /api/siem/statistics?timeRange=24

# Export logs
GET /api/siem/export?format=csv

# Get anomalies
GET /api/siem/anomalies?status=open&severity=critical

# Resolve anomaly
POST /api/siem/anomalies/:id/resolve
Body: { "notes": "Resolved description" }

# Get alerts
GET /api/siem/alerts?status=active

# Acknowledge alert
POST /api/siem/alerts/:id/acknowledge

# Resolve alert
POST /api/siem/alerts/:id/resolve
Body: { "notes": "Resolution details" }

# Get threats
GET /api/siem/threats?level=high

# Dashboard data
GET /api/siem/dashboard

Configuration

Environment Variables

# Required: Log signature secret (32+ characters)
LOG_SIGNATURE_SECRET=your-secret-key-here

# Generate with:
openssl rand -hex 32

Database Tables

• aggregated_logs - Central log repository (with signatures)
• security_anomalies - Detected anomalies
• threat_intelligence - Known threats
• security_alerts - Active alerts
• alert_rules - Alert configurations

Log Sources

1. authentication (Critical, 365 days) - Login/logout events
2. authorization (High, 365 days) - Permission checks
3. security_audit (Critical, 365 days) - Security events
4. application (Medium, 90 days) - App logs
5. system (High, 180 days) - System events
6. access (Low, 30 days) - Access logs

Usage Examples

View Recent Alerts

1. Navigate to /security/intelligence
2. Click "Alerts" tab
3. Review active alerts
4. Click "Acknowledge" for each alert
5. Click eye icon to view details
6. Add resolution notes and click "Resolve"

Check Log Integrity

1. Click "Verify Integrity" button
2. Wait for verification to complete
3. Green notification = All logs valid
4. Red notification = Tampering detected

Export Logs for Analysis

1. Click "Export" button
2. Logs download as CSV
3. Open in Excel/spreadsheet software
4. Analyze patterns and trends

Resolve Anomalies

1. Navigate to "Anomalies" tab
2. Click eye icon on anomaly
3. Review details and pattern data
4. Add resolution notes
5. Click "Resolve" button

Monitor Threat Score

• Green (0-19): Normal operations
• Yellow (20-49): Elevated activity - monitor
• Orange (50-79): High activity - investigate
• Red (80-100): Critical - immediate action

Troubleshooting

High Threat Score

Problem: Threat score above 80 Solution:

1. Review open anomalies
2. Resolve false positives
3. Investigate critical alerts
4. Check for active attacks

No Data Appearing

Problem: Dashboard shows no logs/anomalies Solution:

1. Check user permissions (security.view_audit)
2. Verify backend is running: docker logs streamflow
3. Check browser console for errors
4. Try manual refresh

Log Tampering Detected

Problem: "Integrity Compromised" warning Solution:

1. Export tampered logs immediately
2. Review forensic evidence
3. Restore from backup if needed
4. Investigate root cause
5. Rotate LOG_SIGNATURE_SECRET

Container Won't Start

Problem: Docker container restarting Solution:

1. Check logs: docker compose logs --tail=100
2. Verify LOG_SIGNATURE_SECRET is set
3. Check database permissions
4. Rebuild: docker compose up -d --build

Performance

• Auto-refresh: 60 seconds
• Analysis cycle: 60 seconds
• Buffer size: 100 log entries
• Flush interval: 5 seconds
• Query limit: 100 entries (max 1000)

Security Best Practices

1. Rotate Secrets Regularly

   • Rotate LOG_SIGNATURE_SECRET quarterly
   • Update all active logs after rotation

2. Review Alerts Daily

   • Check threat score each morning
   • Acknowledge/resolve alerts promptly
   • Investigate critical anomalies immediately

3. Export Logs Weekly

   • Backup to external SIEM
   • Archive for compliance
   • Long-term analysis

4. Monitor Trends

   • Track anomaly patterns
   • Identify repeat offenders
   • Adjust thresholds as needed

5. Maintain Clean Data

   • Resolve false positives
   • Update alert rules
   • Clean up old logs (automatic)

Compliance Mapping

• PCI-DSS Req 10: Log aggregation, daily review, retention
• HIPAA § 164.312(b): Audit controls, activity examination
• SOX Section 404: IT controls, audit trails
• GDPR Article 32: Security monitoring, incident detection
• CWE-778: Comprehensive logging implementation
• CWE-532: Sensitive data protection in logs

Support

For issues or questions:

1. Check documentation: /docs/SIEM_IMPLEMENTATION.md
2. Review backend logs: docker logs streamflow
3. Verify API responses: Browser network tab
4. Check permissions: User RBAC settings

Version

• Implementation: December 2024
• Version: 1.0.0
• Status: Production Ready ✅