Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 20:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add MITRE ATT&CK heatmap and detection rule firing status

Browse Source 
MITRE ATT&CK heatmap:
- _extract_mitre() helper extracts tactics/techniques from S1 API rules
  handling multiple field name conventions (tactic, mitreTechniques, etc.)
- _import_from_api_rules and _import_detections now store tactics/techniques
  in raw JSON alongside data_sources
- GET /api/coverage/mitre returns tactic/technique breakdown ordered by
  ATT&CK kill chain with coverage stats
- New "Threat Coverage" tab in frontend: stat cards (total rules, MITRE
  mapped, tactics covered, techniques covered), tactic cards grid with
  left-border color coding and technique chips with "+N more" expander

Detection rule firing status:
- RuleFiringCache table tracks alert_count per rule_name
- POST /api/coverage/sync-rule-firing queries SDL PowerQuery with 3
  field-name patterns to find rule firing data; upserts into cache
- GET /api/coverage/rule-firing-cache returns cache sorted by alert count
- /map now includes alert_count per rule and firing_cache_populated flag
- Coverage map Detections column: when cache populated, shows alert count
  in green or ⚠ amber for rules that have never fired

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mick
2026-05-22 10:25:45 -04:00
parent 2c40bf81ee
commit 7922de315e
4 changed files with 500 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/db.py
+9
View File
@@ -48,6 +48,15 @@ class IngestSnapshot(Base):
recorded_at = Column(DateTime, default=datetime.utcnow)
class RuleFiringCache(Base):
__tablename__ = "rule_firing_cache"
id = Column(Integer, primary_key=True)
rule_name = Column(String, unique=True, index=True)
alert_count = Column(Integer, default=0)
period_days = Column(Integer, default=30)
checked_at = Column(DateTime, default=datetime.utcnow)
def get_db():
db = SessionLocal()
try:
backend/main.py
+10 -1
View File
@@ -1,6 +1,6 @@
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from db import engine, Base, get_db, ParsedRule
from db import engine, Base, get_db, ParsedRule, RuleFiringCache
from routers import coverage, ingest, settings, quality
Base.metadata.create_all(bind=engine)
@@ -14,6 +14,15 @@ with engine.connect() as _conn:
_conn.execute(text(
"ALTER TABLE active_sources ADD COLUMN IF NOT EXISTS unlabelled BOOLEAN DEFAULT FALSE"
))
_conn.execute(text(
"CREATE TABLE IF NOT EXISTS rule_firing_cache ("
"id SERIAL PRIMARY KEY, "
"rule_name VARCHAR UNIQUE, "
"alert_count INTEGER DEFAULT 0, "
"period_days INTEGER DEFAULT 30, "
"checked_at TIMESTAMP"
")"
))
_conn.commit()
app = FastAPI(title="SIEM Toolkit", version="1.0.0")
backend/routers/coverage.py
+251 -4
View File
@@ -4,7 +4,7 @@ from fastapi import APIRouter, UploadFile, File, Depends, HTTPException
from pydantic import BaseModel
from sqlalchemy.orm import Session
from datetime import datetime
from db import get_db, ParsedRule, ParserField, ActiveSource
from db import get_db, ParsedRule, ParserField, ActiveSource, RuleFiringCache
from services import s1_client, rule_parser
DETECTIONS_FILE = os.environ.get("DETECTIONS_FILE", "/app/data/detections.json")
@@ -12,6 +12,63 @@ DETECTIONS_FILE = os.environ.get("DETECTIONS_FILE", "/app/data/detections.json")
router = APIRouter()
def _extract_mitre(rule: dict) -> tuple[list[str], list[dict]]:
"""Extract (tactics, techniques) from a raw S1 rule dict.
Handles multiple field name conventions across S1 API versions."""
tactics: list[str] = []
techniques: list[dict] = []
for key in ("tactic", "tactics", "mitreTactic", "mitreTactics", "attack.tactic"):
val = rule.get(key)
if isinstance(val, str) and val:
tactics.extend(v.strip() for v in val.split(",") if v.strip())
elif isinstance(val, list):
for v in val:
if isinstance(v, str) and v:
tactics.append(v.strip())
elif isinstance(v, dict):
n = v.get("name") or v.get("tactic") or ""
if n:
tactics.append(n.strip())
for key in ("technique", "techniques", "mitreTechnique", "mitreTechniques",
"attack.technique", "mitreAttack"):
val = rule.get(key)
if isinstance(val, str) and val:
for part in val.split(","):
part = part.strip()
if not part:
continue
if part.startswith("T") and len(part) >= 2 and part[1:5].replace(".", "").isdigit():
tid, _, tname = part.partition(" - ")
techniques.append({"id": tid.strip(), "name": tname.strip() or tid.strip()})
else:
techniques.append({"id": "", "name": part})
elif isinstance(val, list):
for v in val:
if isinstance(v, str) and v.strip():
part = v.strip()
if part.startswith("T") and len(part) >= 5 and part[1:5].replace(".", "").isdigit():
techniques.append({"id": part, "name": part})
else:
techniques.append({"id": "", "name": part})
elif isinstance(v, dict):
tid = v.get("id") or v.get("techniqueId") or v.get("technique_id") or ""
tname = v.get("name") or v.get("technique") or v.get("techniqueName") or tid
if tid or tname:
techniques.append({"id": str(tid).strip(), "name": str(tname).strip()})
seen_ids: set = set()
unique_techniques = []
for t in techniques:
key_t = t["id"] or t["name"]
if key_t not in seen_ids:
seen_ids.add(key_t)
unique_techniques.append(t)
return list(dict.fromkeys(tactics)), unique_techniques
def _star_query_texts(rule: dict) -> list[str]:
"""
Extract all PowerQuery/filter strings from a STAR rule.
@@ -94,12 +151,17 @@ def _import_from_api_rules(db, rules: list) -> int:
seen_ids.add(rule_id)
sources = rule.get("sources") or []
tactics, techniques = _extract_mitre(rule)
db.add(ParsedRule(
rule_id=rule_id,
name=rule.get("name", "unnamed"),
rule_type="library",
fields_used=[], # API rules don't expose field-level info
raw=json.dumps({"data_sources": sources}),
raw=json.dumps({
"data_sources": sources,
"tactics": tactics,
"techniques": techniques,
}),
))
loaded += 1
if loaded % 500 == 0:
@@ -142,12 +204,17 @@ def _import_detections(db, detections_file: str) -> int:
continue
seen_ids.add(rule_id)
tactics, techniques = _extract_mitre(rule)
db.add(ParsedRule(
rule_id=rule_id,
name=rule.get("name", "unnamed"),
rule_type="library",
fields_used=list(all_fields),
raw=json.dumps({"data_sources": list(set(data_sources))}),
raw=json.dumps({
"data_sources": list(set(data_sources)),
"tactics": tactics,
"techniques": techniques,
}),
))
loaded += 1
if loaded % 500 == 0:
@@ -561,6 +628,12 @@ def get_coverage_map(db: Session = Depends(get_db)):
parser_fields_rows = db.query(ParserField).all()
rules = db.query(ParsedRule).all()
firing_cache: dict[str, int] = {
row.rule_name: row.alert_count
for row in db.query(RuleFiringCache).all()
}
firing_cache_populated = len(firing_cache) > 0
# parser_name → set of field names (for field count display)
parser_index: dict[str, set] = {}
for pf in parser_fields_rows:
@@ -675,7 +748,11 @@ def get_coverage_map(db: Session = Depends(get_db)):
else:
needed_count += 1 # stub_parser and parser_needed both count as needing work
rules_for_src: list = [r for r in rule_by_source.get(src.source_name, []) if r["type"] == "library"]
rules_for_src: list = [
{**r, "alert_count": firing_cache.get(r["rule"], 0)}
for r in rule_by_source.get(src.source_name, [])
if r["type"] == "library"
]
# Close-match suggestions — shown when there are no library rules for this source.
close_matches: list = []
@@ -779,6 +856,7 @@ def get_coverage_map(db: Session = Depends(get_db)):
"unlabelled_events": _unlabelled_event_count,
"parsers_loaded": len(parser_index),
"rules_loaded": len(rules),
"firing_cache_populated": firing_cache_populated,
},
"sources": sources_out,
"synced_at": synced_at,
@@ -794,6 +872,175 @@ def get_stub_parsers():
return {"stubs": stubs, "count": len(stubs)}
@router.get("/mitre")
def get_mitre_coverage(db: Session = Depends(get_db)):
rules = db.query(ParsedRule).filter_by(rule_type="library").all()
TACTIC_ORDER = [
"Reconnaissance", "Resource Development", "Initial Access", "Execution",
"Persistence", "Privilege Escalation", "Defense Evasion", "Credential Access",
"Discovery", "Lateral Movement", "Collection", "Command and Control",
"Exfiltration", "Impact", "Uncategorized",
]
tactic_map: dict[str, dict] = {}
no_mitre_count = 0
for rule in rules:
try:
raw_data = json.loads(rule.raw) if rule.raw else {}
except Exception:
raw_data = {}
tactics = raw_data.get("tactics", [])
techniques = raw_data.get("techniques", [])
if not tactics and not techniques:
no_mitre_count += 1
continue
if not tactics:
tactics = ["Uncategorized"]
for tactic in tactics:
if tactic not in tactic_map:
tactic_map[tactic] = {"techniques": {}, "rule_count": 0}
tactic_map[tactic]["rule_count"] += 1
for tech in techniques:
key_t = tech["id"] or tech["name"]
if key_t:
tactic_map[tactic]["techniques"][key_t] = tech["name"] or key_t
def _tactic_sort_key(name: str) -> int:
try:
return TACTIC_ORDER.index(name)
except ValueError:
return len(TACTIC_ORDER)
tactics_out = []
total_techniques = 0
for tactic_name in sorted(tactic_map.keys(), key=_tactic_sort_key):
tech_dict = tactic_map[tactic_name]["techniques"]
techniques_list = [
{"id": k if (k.startswith("T") and len(k) >= 4) else "", "name": v}
for k, v in sorted(tech_dict.items())
]
total_techniques += len(techniques_list)
tactics_out.append({
"tactic": tactic_name,
"rule_count": tactic_map[tactic_name]["rule_count"],
"technique_count": len(techniques_list),
"techniques": techniques_list,
})
return {
"tactics": tactics_out,
"total_rules": len(rules),
"rules_with_mitre": len(rules) - no_mitre_count,
"rules_without_mitre": no_mitre_count,
"total_techniques": total_techniques,
"tactic_count": len(tactics_out),
}
@router.post("/sync-rule-firing")
async def sync_rule_firing(period_days: int = 30, db: Session = Depends(get_db)):
"""Query SDL for alert/threat counts by rule name over the last N days.
Tries multiple field name patterns until one returns results.
Caches results in rule_firing_cache table."""
from datetime import datetime, timedelta
now = datetime.utcnow()
from_dt = (now - timedelta(days=period_days)).strftime("%Y-%m-%dT%H:%M:%S.000Z")
to_dt = now.strftime("%Y-%m-%dT%H:%M:%S.000Z")
FIRING_QUERIES = [
("| filter ruleName != '' | group alerts=count() by ruleName | sort -alerts | limit 2000", "ruleName"),
("| filter threatInfo.detectionEngineRule.name != '' | group alerts=count() by threatInfo.detectionEngineRule.name | sort -alerts | limit 2000", "threatInfo.detectionEngineRule.name"),
("| filter alert.ruleName != '' | group alerts=count() by alert.ruleName | sort -alerts | limit 2000", "alert.ruleName"),
]
result_rows = []
query_used = None
errors = []
for query, name_field in FIRING_QUERIES:
try:
result = await s1_client.run_powerquery(query, from_dt, to_dt, max_count=10_000_000)
err = result.get("error") if isinstance(result, dict) else None
if err:
errors.append(f"{name_field}: {err}")
continue
rows = result.get("events", [])
if rows:
# Remap the name field to a standard key
result_rows = [{"rule_name": r.get(name_field, r.get("ruleName", "")), "alerts": r.get("alerts", 0)} for r in rows]
result_rows = [r for r in result_rows if r["rule_name"]]
if result_rows:
query_used = query
break
except Exception as e:
errors.append(f"{name_field}: {e}")
continue
if not result_rows:
return {
"synced": 0,
"period_days": period_days,
"rules_with_alerts": 0,
"query_used": None,
"message": "No alert data found. Errors: " + "; ".join(errors) if errors else "No alert data found — SDL may not have alert events in this time window.",
}
# Upsert into cache
checked_at = datetime.utcnow()
for row in result_rows:
existing = db.query(RuleFiringCache).filter_by(rule_name=row["rule_name"]).first()
if existing:
existing.alert_count = row["alerts"]
existing.period_days = period_days
existing.checked_at = checked_at
else:
db.add(RuleFiringCache(
rule_name=row["rule_name"],
alert_count=row["alerts"],
period_days=period_days,
checked_at=checked_at,
))
db.commit()
return {
"synced": len(result_rows),
"period_days": period_days,
"rules_with_alerts": len(result_rows),
"query_used": query_used,
}
@router.get("/rule-firing-cache")
def get_rule_firing_cache(db: Session = Depends(get_db)):
"""Return all cached rule firing data sorted by alert count descending."""
rows = db.query(RuleFiringCache).order_by(RuleFiringCache.alert_count.desc()).all()
total_rules = db.query(ParsedRule).filter_by(rule_type="library").count()
fired = [r for r in rows if r.alert_count > 0]
never_fired_count = total_rules - len(fired)
period_days = rows[0].period_days if rows else 30
checked_at = rows[0].checked_at.isoformat() if rows and rows[0].checked_at else None
return {
"rules": [
{
"rule_name": r.rule_name,
"alert_count": r.alert_count,
"period_days": r.period_days,
"checked_at": r.checked_at.isoformat() if r.checked_at else None,
}
for r in rows
],
"summary": {
"rules_monitored": len(rows),
"fired_in_period": len(fired),
"never_fired": never_fired_count,
"period_days": period_days,
"checked_at": checked_at,
},
}
@router.delete("/reset")
def reset_data(db: Session = Depends(get_db)):
db.query(ParsedRule).delete()
frontend/index.html
+230
View File
@@ -22,6 +22,7 @@
<a href="#/ingest" data-page="ingest" class="nav-link flex items-center px-3 py-2 rounded-lg text-sm cursor-pointer">Ingest Dashboard</a>
<a href="#/quality" data-page="quality" class="nav-link flex items-center px-3 py-2 rounded-lg text-sm cursor-pointer">Parser Quality</a>
<a href="#/onboarding" data-page="onboarding" class="nav-link flex items-center px-3 py-2 rounded-lg text-sm cursor-pointer">Onboarding</a>
<a href="#/threat" data-page="threat" class="nav-link flex items-center px-3 py-2 rounded-lg text-sm cursor-pointer">Threat Coverage</a>
</nav>
<div class="p-3 border-t border-white/5">
<a href="#/settings" data-page="settings" class="nav-link flex items-center gap-2 px-3 py-2 rounded-lg text-sm cursor-pointer text-slate-400 hover:bg-white/5 hover:text-gray-100 transition-colors">
@@ -559,7 +560,19 @@ function cvSetFilter(f) {
}
function detectionsCell(s) {
const firingPopulated = cvData?.summary?.firing_cache_populated === true
if (s.rule_count) {
if (firingPopulated) {
const ruleItems = (s.rules || []).map(r => {
const alerts = r.alert_count || 0
if (alerts > 0) {
return `<span class="text-purple-400 font-mono text-xs" title="${esc(r.rule)} — ${alerts} alerts">${esc(r.rule.length > 40 ? r.rule.slice(0, 40) + '…' : r.rule)} <span class="text-emerald-500">(${alerts})</span></span>`
} else {
return `<span class="text-amber-400 font-mono text-xs" title="${esc(r.rule)} — no alerts in period">&#9888; ${esc(r.rule.length > 40 ? r.rule.slice(0, 40) + '…' : r.rule)}</span>`
}
})
return `<div class="space-y-0.5">${ruleItems.join('')}</div>`
}
return `<span class="text-purple-400 font-medium">${s.rule_count}</span> rule${s.rule_count !== 1 ? 's' : ''}`
}
if (s.close_matches && s.close_matches.length) {
@@ -1394,6 +1407,222 @@ async function qtTest() {
} finally { setBtn('btn-qt', false, 'Test') }
}
// ── Threat Coverage ───────────────────────────────────────────────────────
function renderThreat() {
set(`<div class="p-8 max-w-6xl space-y-8">
<div>
<h1 class="text-xl font-extrabold text-white tracking-tight">Threat Coverage</h1>
<p class="text-sm text-slate-400 mt-1">MITRE ATT&amp;CK heatmap and detection rule firing status</p>
</div>
<!-- MITRE ATT&CK Heatmap -->
<div>
<div class="flex items-start justify-between mb-4">
<div>
<h2 class="text-base font-semibold text-white">MITRE ATT&amp;CK Coverage</h2>
<p class="text-xs text-slate-500 mt-0.5">Detection rules mapped to ATT&amp;CK tactics and techniques</p>
</div>
<button id="btn-sync-library-threat" onclick="syncLibraryThreat()"
class="px-3 py-1.5 text-sm bg-blue-700 hover:bg-blue-600 rounded-lg text-white font-medium transition-colors shadow-sm">
Sync Detection Library
</button>
</div>
<div id="mitre-stats" class="grid grid-cols-2 md:grid-cols-4 gap-3 mb-6"></div>
<div id="mitre-err"></div>
<div id="mitre-grid" class="grid grid-cols-1 md:grid-cols-2 xl:grid-cols-3 gap-4">
<div class="col-span-full text-slate-600 text-sm text-center py-8">Loading MITRE coverage…</div>
</div>
</div>
<!-- Rule Firing Status -->
<div>
<div class="flex items-start justify-between mb-4">
<div>
<h2 class="text-base font-semibold text-white">Rule Firing Status</h2>
<p class="text-xs text-slate-500 mt-0.5">Rules that have never triggered an alert may be misconfigured or require data sources not yet active.</p>
</div>
<div class="flex items-center gap-2">
<select id="firing-period" class="bg-slate-800/80 border border-white/10 rounded-lg px-2 py-1.5 text-sm text-gray-300 focus:outline-none focus:border-purple-500 transition-colors">
<option value="7">Last 7d</option>
<option value="14">Last 14d</option>
<option value="30" selected>Last 30d</option>
<option value="60">Last 60d</option>
<option value="90">Last 90d</option>
</select>
<button id="btn-sync-firing" onclick="syncRuleFiring()"
class="px-3 py-1.5 text-sm bg-emerald-700 hover:bg-emerald-600 rounded-lg text-white font-medium transition-colors shadow-sm">
Sync Alert Firing Status
</button>
</div>
</div>
<div id="firing-err"></div>
<div id="firing-summary"></div>
<div id="firing-table"></div>
</div>
</div>`)
loadMitre()
loadFiringStatus()
}
async function syncLibraryThreat() {
setBtn('btn-sync-library-threat', true)
const errEl = document.getElementById('mitre-err')
if (errEl) errEl.innerHTML = ''
try {
const r = await apiPost('/api/coverage/load-detections', {})
if (errEl) {
errEl.innerHTML = `<div class="p-3 bg-emerald-950/60 ring-1 ring-emerald-700/50 rounded-xl text-sm text-emerald-300 mb-4">&#x2713; ${r.loaded} detection rules synced from ${r.source === 'api' ? 'S1 API' : 'local file'}</div>`
setTimeout(() => { errEl.innerHTML = '' }, 4000)
}
loadMitre()
} catch(e) {
if (errEl) errEl.innerHTML = errBox(e.message)
} finally { setBtn('btn-sync-library-threat', false, 'Sync Detection Library') }
}
async function loadMitre() {
const gridEl = document.getElementById('mitre-grid')
const statsEl = document.getElementById('mitre-stats')
if (!gridEl) return
gridEl.innerHTML = '<div class="col-span-full text-slate-600 text-sm text-center py-8 animate-pulse">Loading MITRE coverage…</div>'
try {
const data = await apiGet('/api/coverage/mitre')
// Stats row
if (statsEl) {
statsEl.innerHTML = `
${statCard('Total Library Rules', data.total_rules, 'text-gray-200')}
${statCard('Rules with MITRE Mapping', data.rules_with_mitre, 'text-purple-400')}
${statCard('Tactics Covered', data.tactic_count, 'text-blue-400')}
${statCard('Techniques Covered', data.total_techniques, 'text-emerald-400')}`
}
if (!data.tactics || data.tactics.length === 0) {
gridEl.innerHTML = `<div class="col-span-full bg-gradient-to-b from-gray-900 to-gray-950 ring-1 ring-white/5 rounded-xl p-8 text-center text-slate-500 text-sm">
No MITRE data found. Sync the Detection Library to populate MITRE mappings.
</div>`
return
}
gridEl.innerHTML = data.tactics.map(t => {
const borderColor = t.rule_count >= 20 ? 'border-l-purple-500' : t.rule_count >= 5 ? 'border-l-blue-500' : 'border-l-slate-600'
const badgeColor = t.rule_count >= 20 ? 'bg-purple-900/60 text-purple-300 border-purple-700' : t.rule_count >= 5 ? 'bg-blue-900/60 text-blue-300 border-blue-700' : 'bg-slate-800/60 text-slate-400 border-slate-700'
const MAX_SHOWN = 12
const chips = t.techniques.slice(0, MAX_SHOWN).map(tech =>
`<span class="inline-flex items-center px-1.5 py-0.5 rounded-full text-xs bg-slate-800/80 ring-1 ring-white/5 text-slate-400 font-mono" title="${esc(tech.name)}">${esc(tech.id || tech.name)}</span>`
).join('')
const expandId = 'mitre-expand-' + t.tactic.replace(/[^a-z0-9]/gi, '_')
const moreChips = t.techniques.slice(MAX_SHOWN).map(tech =>
`<span class="inline-flex items-center px-1.5 py-0.5 rounded-full text-xs bg-slate-800/80 ring-1 ring-white/5 text-slate-400 font-mono" title="${esc(tech.name)}">${esc(tech.id || tech.name)}</span>`
).join('')
const moreSection = t.techniques.length > MAX_SHOWN ? `
<div id="${expandId}" class="hidden flex flex-wrap gap-1 mt-1">${moreChips}</div>
<button onclick="mitreToggleMore('${expandId}', this)"
class="mt-1.5 text-xs text-purple-500 hover:text-purple-400 transition-colors">+${t.techniques.length - MAX_SHOWN} more</button>` : ''
return `<div class="bg-gradient-to-b from-gray-900 to-gray-950 ring-1 ring-white/5 rounded-xl p-4 border-l-4 ${borderColor} shadow-sm">
<div class="flex items-center justify-between mb-3">
<span class="font-semibold text-white text-sm">${esc(t.tactic)}</span>
<span class="px-2 py-0.5 rounded-full text-xs font-medium border ${badgeColor}">${t.rule_count} rule${t.rule_count !== 1 ? 's' : ''}</span>
</div>
${t.techniques.length > 0 ? `
<div class="flex flex-wrap gap-1">${chips}</div>
${moreSection}` : `<p class="text-xs text-slate-600">No technique IDs mapped</p>`}
</div>`
}).join('')
} catch(e) {
if (gridEl) gridEl.innerHTML = `<div class="col-span-full text-red-400 text-sm">${esc(e.message)}</div>`
}
}
function mitreToggleMore(id, btn) {
const el = document.getElementById(id)
if (!el) return
const hidden = el.classList.toggle('hidden')
btn.textContent = hidden ? '+' + btn.textContent.replace(/^[^ ]+\s*/, '') + ' more' : 'Show less'
// Re-calculate count when hiding
if (hidden) {
const count = el.querySelectorAll('span').length
btn.textContent = '+' + count + ' more'
}
}
async function syncRuleFiring() {
setBtn('btn-sync-firing', true)
const errEl = document.getElementById('firing-err')
if (errEl) errEl.innerHTML = ''
try {
const period = +document.getElementById('firing-period').value || 30
const r = await apiPost(`/api/coverage/sync-rule-firing?period_days=${period}`, {})
if (r.message) {
if (errEl) errEl.innerHTML = `<div class="p-3 bg-amber-950/60 ring-1 ring-amber-700/50 rounded-xl text-sm text-amber-300 mb-4">&#9888; ${esc(r.message)}</div>`
} else {
if (errEl) {
errEl.innerHTML = `<div class="p-3 bg-emerald-950/60 ring-1 ring-emerald-700/50 rounded-xl text-sm text-emerald-300 mb-4">&#x2713; Synced ${r.synced} rules over ${r.period_days}d</div>`
setTimeout(() => { errEl.innerHTML = '' }, 4000)
}
loadFiringStatus()
}
} catch(e) {
if (errEl) errEl.innerHTML = errBox(e.message)
} finally { setBtn('btn-sync-firing', false, 'Sync Alert Firing Status') }
}
async function loadFiringStatus() {
const summaryEl = document.getElementById('firing-summary')
const tableEl = document.getElementById('firing-table')
if (!summaryEl || !tableEl) return
try {
const data = await apiGet('/api/coverage/rule-firing-cache')
const s = data.summary
if (!data.rules || data.rules.length === 0) {
summaryEl.innerHTML = ''
tableEl.innerHTML = `<div class="bg-gradient-to-b from-gray-900 to-gray-950 ring-1 ring-white/5 rounded-xl p-6 text-center text-sm text-slate-500">
No firing data cached yet. Click <strong class="text-slate-300">Sync Alert Firing Status</strong> to query the SDL.
</div>`
return
}
summaryEl.innerHTML = `
<div class="grid grid-cols-3 gap-3 mb-4">
${statCard('Rules Monitored', s.rules_monitored, 'text-gray-200')}
${statCard(`Fired in ${s.period_days}d`, s.fired_in_period, 'text-emerald-400')}
${statCard('Never Fired', s.never_fired, s.never_fired > 0 ? 'text-amber-400' : 'text-gray-500')}
</div>`
const top20 = data.rules.slice(0, 20)
const rows = top20.map((r, i) => {
const badge = r.alert_count > 0
? `<span class="px-2 py-0.5 rounded-full text-xs font-medium border bg-emerald-900/50 text-emerald-300 border-emerald-700">Active</span>`
: `<span class="px-2 py-0.5 rounded-full text-xs font-medium border bg-amber-900/50 text-amber-300 border-amber-700">Silent</span>`
return `<tr class="${i % 2 === 1 ? 'bg-white/[0.015]' : ''} border-b border-white/5 hover:bg-white/[0.04] transition-colors">
<td class="py-2.5 px-4 font-mono text-xs text-gray-200">${esc(r.rule_name)}</td>
<td class="py-2.5 px-4 text-xs text-slate-300 tabular-nums">${r.alert_count.toLocaleString()}</td>
<td class="py-2.5 px-4">${badge}</td>
</tr>`
}).join('')
tableEl.innerHTML = `
<div class="overflow-x-auto rounded-xl ring-1 ring-white/5">
<table class="w-full text-sm">
<thead><tr class="text-left text-slate-500 bg-slate-900/60 border-b border-white/5">
<th class="py-3 px-4 font-medium text-xs uppercase tracking-wide">Rule Name</th>
<th class="py-3 px-4 font-medium text-xs uppercase tracking-wide">Alerts (${s.period_days}d)</th>
<th class="py-3 px-4 font-medium text-xs uppercase tracking-wide">Status</th>
</tr></thead>
<tbody>${rows}</tbody>
</table>
</div>
${s.checked_at ? `<p class="text-xs text-slate-600 mt-2">Last synced: ${new Date(s.checked_at).toLocaleString()}</p>` : ''}`
} catch(e) {
if (tableEl) tableEl.innerHTML = `<p class="text-red-400 text-sm">${esc(e.message)}</p>`
}
}
// ── Router ────────────────────────────────────────────────────────────────
function set(html) { document.getElementById('main').innerHTML = html }
@@ -1411,6 +1640,7 @@ function route() {
else if (h === '#/ingest') { updateNav('ingest'); renderIngest() }
else if (h === '#/quality') { updateNav('quality'); renderQuality() }
else if (h === '#/onboarding') { updateNav('onboarding'); renderOnboarding() }
else if (h === '#/threat') { updateNav('threat'); renderThreat() }
else if (h === '#/settings') { updateNav('settings'); renderSettings() }
else { updateNav('home'); renderHome() }
}