-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.py
More file actions
135 lines (112 loc) · 3.31 KB
/
Copy pathmain.py
File metadata and controls
135 lines (112 loc) · 3.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from pydantic import BaseModel
from datetime import datetime
from collections import defaultdict
app = FastAPI()
# Allow frontend
app.add_middleware(
CORSMiddleware,
allow_origins=["*"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
# ----------------------------
# MEMORY STORE (GRAPH)
# ----------------------------
graph = {
"nodes": {},
"edges": {},
"attack_chains": defaultdict(list)
}
# ----------------------------
# EVENT MODEL
# ----------------------------
class Event(BaseModel):
user_id: str
event_type: str
ip_address: str
# ----------------------------
# RISK ENGINE
# ----------------------------
def calculate_risk(event_type, failed_logins=1, malicious_ip=False):
base = failed_logins * 15
ip_risk = 50 if malicious_ip else 10
if event_type == "LOGIN_FAILURE":
return base + ip_risk
return 10
# ----------------------------
# CORRELATION ENGINE
# ----------------------------
def correlate(risk_score):
if risk_score >= 60:
return "CONFIRMED_ATTACK (T1110 - Brute Force)"
elif risk_score >= 30:
return "SUSPICIOUS_IP_ACTIVITY"
return "NORMAL"
# ----------------------------
# EVENT ENDPOINT
# ----------------------------
@app.post("/event")
def ingest_event(event: Event):
user = event.user_id
ip = event.ip_address
risk = calculate_risk(event.event_type, failed_logins=1, malicious_ip=True)
correlation = correlate(risk)
# ---------------- NODE UPDATE ----------------
for entity in [user, ip]:
if entity not in graph["nodes"]:
graph["nodes"][entity] = {
"id": entity,
"label": entity,
"first_seen": datetime.utcnow().isoformat(),
"event_count": 0,
"risk_accumulator": 0
}
graph["nodes"][entity]["event_count"] += 1
graph["nodes"][entity]["risk_accumulator"] += risk
# ---------------- EDGE UPDATE ----------------
edge_id = f"{user}->{ip}"
if edge_id not in graph["edges"]:
graph["edges"][edge_id] = {
"id": edge_id,
"source": user,
"target": ip,
"weight": 0,
"events": [],
"last_updated": datetime.utcnow().isoformat()
}
graph["edges"][edge_id]["weight"] += risk
graph["edges"][edge_id]["events"].append({
"type": event.event_type,
"risk": risk,
"time": datetime.utcnow().isoformat()
})
# ---------------- ATTACK CHAIN ----------------
graph["attack_chains"][user].append({
"event": event.event_type,
"ip": ip,
"risk": risk,
"time": datetime.utcnow().isoformat()
})
return {
"event": event,
"risk": risk,
"correlation": correlation,
"graph": graph
}
# ----------------------------
# GRAPH ENDPOINT (FRONTEND USES THIS)
# ----------------------------
@app.get("/graph")
def get_graph():
return {
"nodes": list(graph["nodes"].values()),
"edges": list(graph["edges"].values()),
"attack_chains": dict(graph["attack_chains"]),
"summary": {
"total_nodes": len(graph["nodes"]),
"total_edges": len(graph["edges"])
}
}