Skip to content

Commit

Permalink
Add require_attention to all alert families on CH Cluster
Browse files Browse the repository at this point in the history
  • Loading branch information
@cardigliano
cardigliano committed Nov 11, 2024
1 parent 12407d6 commit f412a7d
Showing 1 changed file with 47 additions and 17 deletions.
64 changes: 47 additions & 17 deletions httpdocs/misc/db_schema_clickhouse_cluster.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,8 @@ CREATE TABLE IF NOT EXISTS `flows` ON CLUSTER '$CLUSTER' (
`POST_NAT_DST_PORT` UInt32,
`WLAN_SSID` String,
`WTP_MAC_ADDRESS` UInt64,
`DOMAIN_NAME` String
`DOMAIN_NAME` String,
`REQUIRE_ATTENTION` Boolean
) ENGINE = ReplicatedMergeTree('/clickhouse/{cluster}/tables/{database}/{table}', '{replica}') PARTITION BY toYYYYMMDD(FIRST_SEEN) ORDER BY (IPV4_SRC_ADDR, IPV4_DST_ADDR, FIRST_SEEN);
@
ALTER TABLE `flows` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS `FLOW_ID` UInt64;
Expand Down Expand Up @@ -176,6 +177,8 @@ ALTER TABLE `flows` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS `WLAN_SSID` S
ALTER TABLE `flows` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS `WTP_MAC_ADDRESS` UInt64;
@
ALTER TABLE `flows` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS `DOMAIN_NAME` String;
@
ALTER TABLE `flows` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS `REQUIRE_ATTENTION` Boolean;

@

Expand All @@ -198,10 +201,13 @@ CREATE TABLE IF NOT EXISTS `active_monitoring_alerts` ON CLUSTER '$CLUSTER' (
`json` String,
`user_label` String,
`user_label_tstamp` DateTime NULL,
`alert_category` UInt8
`alert_category` UInt8,
`require_attention` Boolean
) ENGINE = ReplicatedMergeTree('/clickhouse/{cluster}/tables/{database}/{table}', '{replica}') PARTITION BY toYYYYMMDD(tstamp) ORDER BY (tstamp);
@
ALTER TABLE `active_monitoring_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS alert_category UInt8;
@
ALTER TABLE `active_monitoring_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS require_attention Boolean;

@

Expand Down Expand Up @@ -256,7 +262,8 @@ CREATE TABLE IF NOT EXISTS `flow_alerts` ON CLUSTER '$CLUSTER' (
`probe_ip` String,
`input_snmp` UInt32,
`output_snmp` UInt32,
`alert_category` UInt8
`alert_category` UInt8,
`require_attention` Boolean
) ENGINE = ReplicatedMergeTree('/clickhouse/{cluster}/tables/{database}/{table}', '{replica}') PARTITION BY toYYYYMMDD(first_seen) ORDER BY (first_seen);
@
ALTER TABLE `flow_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS cli_host_pool_id UInt16;
Expand All @@ -280,6 +287,8 @@ ALTER TABLE `flow_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS input_s
ALTER TABLE `flow_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS output_snmp UInt32;
@
ALTER TABLE `flow_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS alert_category UInt8;
@
ALTER TABLE `flow_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS require_attention Boolean;

@

Expand Down Expand Up @@ -381,10 +390,13 @@ CREATE TABLE IF NOT EXISTS `mac_alerts` ON CLUSTER '$CLUSTER' (
`json` String,
`user_label` String,
`user_label_tstamp` DateTime,
`alert_category` UInt8
`alert_category` UInt8,
`require_attention` Boolean
) ENGINE = ReplicatedMergeTree('/clickhouse/{cluster}/tables/{database}/{table}', '{replica}') PARTITION BY toYYYYMMDD(tstamp) ORDER BY (tstamp);
@
ALTER TABLE `mac_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS alert_category UInt8;
@
ALTER TABLE `mac_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS require_attention Boolean;

@

Expand All @@ -407,12 +419,15 @@ CREATE TABLE IF NOT EXISTS `snmp_alerts` ON CLUSTER '$CLUSTER' (
`json` String,
`user_label` String,
`user_label_tstamp` DateTime,
`alert_category` UInt8
`alert_category` UInt8,
`require_attention` Boolean
) ENGINE = ReplicatedMergeTree('/clickhouse/{cluster}/tables/{database}/{table}', '{replica}') PARTITION BY toYYYYMMDD(tstamp) ORDER BY (tstamp);
@
ALTER TABLE `snmp_alerts` MODIFY COLUMN `port` UInt32;
@
ALTER TABLE `snmp_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS alert_category UInt8;
@
ALTER TABLE `snmp_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS require_attention Boolean;

@

Expand All @@ -434,10 +449,13 @@ CREATE TABLE IF NOT EXISTS `network_alerts` ON CLUSTER '$CLUSTER' (
`json` String,
`user_label` String,
`user_label_tstamp` DateTime,
`alert_category` UInt8
`alert_category` UInt8,
`require_attention` Boolean
) ENGINE = ReplicatedMergeTree('/clickhouse/{cluster}/tables/{database}/{table}', '{replica}') PARTITION BY toYYYYMMDD(tstamp) ORDER BY (tstamp);
@
ALTER TABLE `network_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS alert_category UInt8;
@
ALTER TABLE `network_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS require_attention Boolean;

@

Expand All @@ -460,10 +478,13 @@ CREATE TABLE IF NOT EXISTS `interface_alerts` ON CLUSTER '$CLUSTER' (
`json` String,
`user_label` String,
`user_label_tstamp` DateTime,
`alert_category` UInt8
`alert_category` UInt8,
`require_attention` Boolean
) ENGINE = ReplicatedMergeTree('/clickhouse/{cluster}/tables/{database}/{table}', '{replica}') PARTITION BY toYYYYMMDD(tstamp) ORDER BY (tstamp);
@
ALTER TABLE `interface_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS alert_category UInt8;
@
ALTER TABLE `interface_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS require_attention Boolean;

@

Expand All @@ -483,10 +504,13 @@ CREATE TABLE IF NOT EXISTS `user_alerts` ON CLUSTER '$CLUSTER' (
`json` String,
`user_label` String,
`user_label_tstamp` DateTime,
`alert_category` UInt8
`alert_category` UInt8,
`require_attention` Boolean
) ENGINE = ReplicatedMergeTree('/clickhouse/{cluster}/tables/{database}/{table}', '{replica}') PARTITION BY toYYYYMMDD(tstamp) ORDER BY (tstamp);
@
ALTER TABLE `user_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS alert_category UInt8;
@
ALTER TABLE `user_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS require_attention Boolean;

@

Expand All @@ -506,33 +530,36 @@ CREATE TABLE IF NOT EXISTS `system_alerts` ON CLUSTER '$CLUSTER' (
`json` String,
`user_label` String,
`user_label_tstamp` DateTime,
`alert_category` UInt8
`alert_category` UInt8,
`require_attention` Boolean
) ENGINE = ReplicatedMergeTree('/clickhouse/{cluster}/tables/{database}/{table}', '{replica}') PARTITION BY toYYYYMMDD(tstamp) ORDER BY (tstamp);
@
ALTER TABLE `system_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS alert_category UInt8;
@
ALTER TABLE `system_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS require_attention Boolean;

@

DROP VIEW IF EXISTS `all_alerts_view` ON CLUSTER '$CLUSTER';
@
CREATE VIEW IF NOT EXISTS `all_alerts_view` ON CLUSTER '$CLUSTER' AS
SELECT 8 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `active_monitoring_alerts`
SELECT 8 entity_id, interface_id, alert_id, alert_status, require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `active_monitoring_alerts`
UNION ALL
SELECT 4 entity_id, INTERFACE_ID AS interface_id, STATUS AS alert_id, 0 AS alert_status, REQUIRE_ATTENTION AS require_attention, FIRST_SEEN AS tstamp, LAST_SEEN AS tstamp_end, SEVERITY AS severity, SCORE AS score, ALERT_CATEGORY AS alert_category FROM `flows` WHERE (STATUS != 0 AND IS_ALERT_DELETED != 1)
UNION ALL
SELECT 1 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `host_alerts`
SELECT 1 entity_id, interface_id, alert_id, alert_status, require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `host_alerts`
UNION ALL
SELECT 5 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `mac_alerts`
SELECT 5 entity_id, interface_id, alert_id, alert_status, require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `mac_alerts`
UNION ALL
SELECT 3 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `snmp_alerts`
SELECT 3 entity_id, interface_id, alert_id, alert_status, require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `snmp_alerts`
UNION ALL
SELECT 2 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `network_alerts`
SELECT 2 entity_id, interface_id, alert_id, alert_status, require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `network_alerts`
UNION ALL
SELECT 0 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `interface_alerts`
SELECT 0 entity_id, interface_id, alert_id, alert_status, require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `interface_alerts`
UNION ALL
SELECT 7 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `user_alerts`
SELECT 7 entity_id, interface_id, alert_id, alert_status, require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `user_alerts`
UNION ALL
SELECT 9 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `system_alerts`
SELECT 9 entity_id, interface_id, alert_id, alert_status, require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `system_alerts`
;

@
Expand Down Expand Up @@ -729,6 +756,9 @@ SELECT
f.INPUT_SNMP AS input_snmp,
f.OUTPUT_SNMP AS output_snmp,
f.ALERT_CATEGORY AS alert_category,
f.MINOR_CONNECTION_STATE AS minor_connection_state,
f.MAJOR_CONNECTION_STATE AS major_connection_state,
f.REQUIRE_ATTENTION AS require_attention,
mitre.TACTIC AS mitre_tactic,
mitre.TECHNIQUE AS mitre_technique,
mitre.SUB_TECHNIQUE AS mitre_subtechnique,
Expand Down

0 comments on commit f412a7d

Please sign in to comment.