ahmido
fdfb781144
Implements Spec 115 (Baseline Operability & Alert Integration). Key changes - Baseline compare: safe auto-close of stale baseline findings (gated on successful/complete compares) - Baseline alerts: `baseline_high_drift` + `baseline_compare_failed` with dedupe/cooldown semantics - Workspace settings: baseline severity mapping + minimum severity threshold + auto-close toggle - Baseline Compare UX: shared stats layer + landing/widget consistency Notes - Livewire v4 / Filament v5 compatible. - Destructive-like actions require confirmation (no new destructive actions added here). Tests - `vendor/bin/sail artisan test --compact tests/Feature/Baselines/ tests/Feature/Alerts/` Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #140
657 lines
24 KiB
PHP
657 lines
24 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Jobs\Alerts;
|
|
|
|
use App\Models\AlertRule;
|
|
use App\Models\Finding;
|
|
use App\Models\OperationRun;
|
|
use App\Models\Workspace;
|
|
use App\Services\Alerts\AlertDispatchService;
|
|
use App\Services\OperationRunService;
|
|
use App\Services\Settings\SettingsResolver;
|
|
use App\Support\OperationRunOutcome;
|
|
use App\Support\OperationRunStatus;
|
|
use App\Support\OperationRunType;
|
|
use Carbon\CarbonImmutable;
|
|
use Illuminate\Bus\Queueable;
|
|
use Illuminate\Contracts\Queue\ShouldQueue;
|
|
use Illuminate\Foundation\Bus\Dispatchable;
|
|
use Illuminate\Queue\InteractsWithQueue;
|
|
use Illuminate\Queue\SerializesModels;
|
|
use Illuminate\Support\Arr;
|
|
use Throwable;
|
|
|
|
class EvaluateAlertsJob implements ShouldQueue
|
|
{
|
|
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
|
|
|
|
public function __construct(
|
|
public int $workspaceId,
|
|
public ?int $operationRunId = null,
|
|
) {}
|
|
|
|
public function handle(AlertDispatchService $dispatchService, OperationRunService $operationRuns): void
|
|
{
|
|
$workspace = Workspace::query()->whereKey($this->workspaceId)->first();
|
|
|
|
if (! $workspace instanceof Workspace) {
|
|
return;
|
|
}
|
|
|
|
$operationRun = $this->resolveOperationRun($workspace, $operationRuns);
|
|
|
|
if (! $operationRun instanceof OperationRun) {
|
|
return;
|
|
}
|
|
|
|
if ($operationRun->status === OperationRunStatus::Completed->value) {
|
|
return;
|
|
}
|
|
|
|
$operationRuns->updateRun(
|
|
$operationRun,
|
|
status: OperationRunStatus::Running->value,
|
|
outcome: OperationRunOutcome::Pending->value,
|
|
);
|
|
|
|
$windowStart = $this->resolveWindowStart($operationRun);
|
|
|
|
try {
|
|
$events = [
|
|
...$this->highDriftEvents((int) $workspace->getKey(), $windowStart),
|
|
...$this->baselineHighDriftEvents((int) $workspace->getKey(), $windowStart),
|
|
...$this->slaDueEvents((int) $workspace->getKey(), $windowStart),
|
|
...$this->compareFailedEvents((int) $workspace->getKey(), $windowStart),
|
|
...$this->baselineCompareFailedEvents((int) $workspace->getKey(), $windowStart),
|
|
...$this->permissionMissingEvents((int) $workspace->getKey(), $windowStart),
|
|
...$this->entraAdminRolesHighEvents((int) $workspace->getKey(), $windowStart),
|
|
];
|
|
|
|
$createdDeliveries = 0;
|
|
|
|
foreach ($events as $event) {
|
|
$createdDeliveries += $dispatchService->dispatchEvent($workspace, $event);
|
|
}
|
|
|
|
$operationRuns->updateRun(
|
|
$operationRun,
|
|
status: OperationRunStatus::Completed->value,
|
|
outcome: OperationRunOutcome::Succeeded->value,
|
|
summaryCounts: [
|
|
'total' => count($events),
|
|
'processed' => count($events),
|
|
'created' => $createdDeliveries,
|
|
],
|
|
);
|
|
} catch (Throwable $exception) {
|
|
$operationRuns->updateRun(
|
|
$operationRun,
|
|
status: OperationRunStatus::Completed->value,
|
|
outcome: OperationRunOutcome::Failed->value,
|
|
failures: [
|
|
[
|
|
'code' => 'alerts.evaluate.failed',
|
|
'message' => $this->sanitizeErrorMessage($exception),
|
|
],
|
|
],
|
|
);
|
|
|
|
throw $exception;
|
|
}
|
|
}
|
|
|
|
private function resolveOperationRun(Workspace $workspace, OperationRunService $operationRuns): ?OperationRun
|
|
{
|
|
if (is_int($this->operationRunId) && $this->operationRunId > 0) {
|
|
$operationRun = OperationRun::query()
|
|
->whereKey($this->operationRunId)
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('type', 'alerts.evaluate')
|
|
->first();
|
|
|
|
if ($operationRun instanceof OperationRun) {
|
|
return $operationRun;
|
|
}
|
|
}
|
|
|
|
$slotKey = CarbonImmutable::now('UTC')->format('YmdHi').'Z';
|
|
|
|
return $operationRuns->ensureWorkspaceRunWithIdentity(
|
|
workspace: $workspace,
|
|
type: 'alerts.evaluate',
|
|
identityInputs: [
|
|
'slot_key' => $slotKey,
|
|
],
|
|
context: [
|
|
'trigger' => 'job',
|
|
'slot_key' => $slotKey,
|
|
],
|
|
initiator: null,
|
|
);
|
|
}
|
|
|
|
private function resolveWindowStart(OperationRun $operationRun): CarbonImmutable
|
|
{
|
|
$previous = OperationRun::query()
|
|
->where('workspace_id', (int) $operationRun->workspace_id)
|
|
->whereNull('tenant_id')
|
|
->where('type', 'alerts.evaluate')
|
|
->where('status', OperationRunStatus::Completed->value)
|
|
->whereNotNull('completed_at')
|
|
->where('id', '<', (int) $operationRun->getKey())
|
|
->orderByDesc('completed_at')
|
|
->orderByDesc('id')
|
|
->first();
|
|
|
|
if ($previous instanceof OperationRun && $previous->completed_at !== null) {
|
|
return CarbonImmutable::instance($previous->completed_at);
|
|
}
|
|
|
|
$lookbackMinutes = max(1, (int) config('tenantpilot.alerts.evaluate_initial_lookback_minutes', 15));
|
|
|
|
return CarbonImmutable::now('UTC')->subMinutes($lookbackMinutes);
|
|
}
|
|
|
|
/**
|
|
* @return array<int, array<string, mixed>>
|
|
*/
|
|
private function highDriftEvents(int $workspaceId, CarbonImmutable $windowStart): array
|
|
{
|
|
$findings = Finding::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
|
|
->whereIn('severity', [Finding::SEVERITY_HIGH, Finding::SEVERITY_CRITICAL])
|
|
->whereIn('status', [Finding::STATUS_NEW, Finding::STATUS_REOPENED])
|
|
->where(function ($query) use ($windowStart): void {
|
|
$query
|
|
->where(function ($statusQuery) use ($windowStart): void {
|
|
$statusQuery
|
|
->where('status', Finding::STATUS_NEW)
|
|
->where('created_at', '>', $windowStart);
|
|
})
|
|
->orWhere(function ($statusQuery) use ($windowStart): void {
|
|
$statusQuery
|
|
->where('status', Finding::STATUS_REOPENED)
|
|
->where(function ($reopenedQuery) use ($windowStart): void {
|
|
$reopenedQuery
|
|
->where('reopened_at', '>', $windowStart)
|
|
->orWhere(function ($fallbackQuery) use ($windowStart): void {
|
|
$fallbackQuery
|
|
->whereNull('reopened_at')
|
|
->where('updated_at', '>', $windowStart);
|
|
});
|
|
});
|
|
});
|
|
})
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
$events = [];
|
|
|
|
foreach ($findings as $finding) {
|
|
$events[] = [
|
|
'event_type' => 'high_drift',
|
|
'tenant_id' => (int) $finding->tenant_id,
|
|
'severity' => (string) $finding->severity,
|
|
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
|
|
'title' => 'High drift finding detected',
|
|
'body' => sprintf(
|
|
'Finding %d was created with severity %s.',
|
|
(int) $finding->getKey(),
|
|
(string) $finding->severity,
|
|
),
|
|
'metadata' => [
|
|
'finding_id' => (int) $finding->getKey(),
|
|
],
|
|
];
|
|
}
|
|
|
|
return $events;
|
|
}
|
|
|
|
/**
|
|
* @return array<int, array<string, mixed>>
|
|
*/
|
|
private function baselineHighDriftEvents(int $workspaceId, CarbonImmutable $windowStart): array
|
|
{
|
|
$minimumSeverity = $this->baselineAlertMinimumSeverity($workspaceId);
|
|
|
|
$findings = Finding::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
|
|
->where('source', 'baseline.compare')
|
|
->whereIn('status', [Finding::STATUS_NEW, Finding::STATUS_REOPENED])
|
|
->where(function ($query) use ($windowStart): void {
|
|
$query
|
|
->where(function ($statusQuery) use ($windowStart): void {
|
|
$statusQuery
|
|
->where('status', Finding::STATUS_NEW)
|
|
->where('created_at', '>', $windowStart);
|
|
})
|
|
->orWhere(function ($statusQuery) use ($windowStart): void {
|
|
$statusQuery
|
|
->where('status', Finding::STATUS_REOPENED)
|
|
->where(function ($reopenedQuery) use ($windowStart): void {
|
|
$reopenedQuery
|
|
->where('reopened_at', '>', $windowStart)
|
|
->orWhere(function ($fallbackQuery) use ($windowStart): void {
|
|
$fallbackQuery
|
|
->whereNull('reopened_at')
|
|
->where('updated_at', '>', $windowStart);
|
|
});
|
|
});
|
|
});
|
|
})
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
$events = [];
|
|
|
|
foreach ($findings as $finding) {
|
|
$severity = strtolower(trim((string) $finding->severity));
|
|
|
|
if (! $this->meetsMinimumSeverity($severity, $minimumSeverity)) {
|
|
continue;
|
|
}
|
|
|
|
$fingerprint = trim((string) $finding->fingerprint);
|
|
$changeType = strtolower(trim((string) Arr::get($finding->evidence_jsonb, 'change_type', '')));
|
|
|
|
if ($fingerprint === '' || ! in_array($changeType, [
|
|
'missing_policy',
|
|
'different_version',
|
|
'unexpected_policy',
|
|
], true)) {
|
|
continue;
|
|
}
|
|
|
|
$events[] = [
|
|
'event_type' => AlertRule::EVENT_BASELINE_HIGH_DRIFT,
|
|
'tenant_id' => (int) $finding->tenant_id,
|
|
'severity' => $severity,
|
|
'fingerprint_key' => 'finding_fingerprint:'.$fingerprint,
|
|
'title' => 'Baseline drift detected',
|
|
'body' => sprintf(
|
|
'Baseline finding %d requires attention (%s).',
|
|
(int) $finding->getKey(),
|
|
str_replace('_', ' ', $changeType),
|
|
),
|
|
'metadata' => [
|
|
'finding_id' => (int) $finding->getKey(),
|
|
'finding_fingerprint' => $fingerprint,
|
|
'change_type' => $changeType,
|
|
],
|
|
];
|
|
}
|
|
|
|
return $events;
|
|
}
|
|
|
|
/**
|
|
* @return array<int, array<string, mixed>>
|
|
*/
|
|
private function compareFailedEvents(int $workspaceId, CarbonImmutable $windowStart): array
|
|
{
|
|
$failedRuns = OperationRun::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->whereNotNull('tenant_id')
|
|
->where('type', 'drift_generate_findings')
|
|
->where('status', OperationRunStatus::Completed->value)
|
|
->where('outcome', OperationRunOutcome::Failed->value)
|
|
->where('created_at', '>', $windowStart)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
$events = [];
|
|
|
|
foreach ($failedRuns as $failedRun) {
|
|
$tenantId = (int) ($failedRun->tenant_id ?? 0);
|
|
|
|
if ($tenantId <= 0) {
|
|
continue;
|
|
}
|
|
|
|
$events[] = [
|
|
'event_type' => 'compare_failed',
|
|
'tenant_id' => $tenantId,
|
|
'severity' => 'high',
|
|
'fingerprint_key' => 'operation_run:'.(int) $failedRun->getKey(),
|
|
'title' => 'Drift compare failed',
|
|
'body' => $this->firstFailureMessage($failedRun, 'A drift compare operation run failed.'),
|
|
'metadata' => [
|
|
'operation_run_id' => (int) $failedRun->getKey(),
|
|
],
|
|
];
|
|
}
|
|
|
|
return $events;
|
|
}
|
|
|
|
/**
|
|
* @return array<int, array<string, mixed>>
|
|
*/
|
|
private function baselineCompareFailedEvents(int $workspaceId, CarbonImmutable $windowStart): array
|
|
{
|
|
$failedRuns = OperationRun::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->whereNotNull('tenant_id')
|
|
->where('type', OperationRunType::BaselineCompare->value)
|
|
->where('status', OperationRunStatus::Completed->value)
|
|
->whereIn('outcome', [
|
|
OperationRunOutcome::Failed->value,
|
|
OperationRunOutcome::PartiallySucceeded->value,
|
|
])
|
|
->whereNotNull('completed_at')
|
|
->where('completed_at', '>', $windowStart)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
$events = [];
|
|
|
|
foreach ($failedRuns as $failedRun) {
|
|
$tenantId = (int) ($failedRun->tenant_id ?? 0);
|
|
|
|
if ($tenantId <= 0) {
|
|
continue;
|
|
}
|
|
|
|
$events[] = [
|
|
'event_type' => AlertRule::EVENT_BASELINE_COMPARE_FAILED,
|
|
'tenant_id' => $tenantId,
|
|
'severity' => 'high',
|
|
'fingerprint_key' => 'operation_run:'.(int) $failedRun->getKey(),
|
|
'title' => 'Baseline compare failed',
|
|
'body' => $this->firstFailureMessage($failedRun, 'A baseline compare operation run failed.'),
|
|
'metadata' => [
|
|
'operation_run_id' => (int) $failedRun->getKey(),
|
|
],
|
|
];
|
|
}
|
|
|
|
return $events;
|
|
}
|
|
|
|
/**
|
|
* @return array<int, array<string, mixed>>
|
|
*/
|
|
private function slaDueEvents(int $workspaceId, CarbonImmutable $windowStart): array
|
|
{
|
|
$now = CarbonImmutable::now('UTC');
|
|
|
|
$newlyOverdueTenantIds = Finding::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->whereNotNull('tenant_id')
|
|
->whereNotNull('due_at')
|
|
->where('due_at', '>', $windowStart)
|
|
->where('due_at', '<=', $now)
|
|
->whereIn('status', Finding::openStatusesForQuery())
|
|
->orderBy('tenant_id')
|
|
->pluck('tenant_id')
|
|
->map(static fn (mixed $value): int => (int) $value)
|
|
->filter(static fn (int $tenantId): bool => $tenantId > 0)
|
|
->unique()
|
|
->values()
|
|
->all();
|
|
|
|
if ($newlyOverdueTenantIds === []) {
|
|
return [];
|
|
}
|
|
|
|
$severityRank = [
|
|
Finding::SEVERITY_LOW => 1,
|
|
Finding::SEVERITY_MEDIUM => 2,
|
|
Finding::SEVERITY_HIGH => 3,
|
|
Finding::SEVERITY_CRITICAL => 4,
|
|
];
|
|
|
|
/** @var array<int, array{overdue_total:int, overdue_by_severity:array<string, int>, severity:string}> $summaryByTenant */
|
|
$summaryByTenant = [];
|
|
|
|
foreach ($newlyOverdueTenantIds as $tenantId) {
|
|
$summaryByTenant[$tenantId] = [
|
|
'overdue_total' => 0,
|
|
'overdue_by_severity' => [
|
|
Finding::SEVERITY_CRITICAL => 0,
|
|
Finding::SEVERITY_HIGH => 0,
|
|
Finding::SEVERITY_MEDIUM => 0,
|
|
Finding::SEVERITY_LOW => 0,
|
|
],
|
|
'severity' => Finding::SEVERITY_LOW,
|
|
];
|
|
}
|
|
|
|
$overdueFindings = Finding::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->whereIn('tenant_id', $newlyOverdueTenantIds)
|
|
->whereNotNull('due_at')
|
|
->where('due_at', '<=', $now)
|
|
->whereIn('status', Finding::openStatusesForQuery())
|
|
->orderBy('tenant_id')
|
|
->orderBy('id')
|
|
->get(['tenant_id', 'severity']);
|
|
|
|
foreach ($overdueFindings as $finding) {
|
|
$tenantId = (int) ($finding->tenant_id ?? 0);
|
|
|
|
if (! isset($summaryByTenant[$tenantId])) {
|
|
continue;
|
|
}
|
|
|
|
$severity = strtolower(trim((string) $finding->severity));
|
|
|
|
if (! array_key_exists($severity, $severityRank)) {
|
|
$severity = Finding::SEVERITY_HIGH;
|
|
}
|
|
|
|
$summaryByTenant[$tenantId]['overdue_total']++;
|
|
$summaryByTenant[$tenantId]['overdue_by_severity'][$severity]++;
|
|
|
|
$currentSeverity = $summaryByTenant[$tenantId]['severity'];
|
|
|
|
if (($severityRank[$severity] ?? 0) > ($severityRank[$currentSeverity] ?? 0)) {
|
|
$summaryByTenant[$tenantId]['severity'] = $severity;
|
|
}
|
|
}
|
|
|
|
$windowFingerprint = $windowStart->setTimezone('UTC')->format('Uu');
|
|
$events = [];
|
|
|
|
foreach ($newlyOverdueTenantIds as $tenantId) {
|
|
$summary = $summaryByTenant[$tenantId] ?? null;
|
|
|
|
if (! is_array($summary) || (int) ($summary['overdue_total'] ?? 0) <= 0) {
|
|
continue;
|
|
}
|
|
|
|
/** @var array<string, int> $counts */
|
|
$counts = $summary['overdue_by_severity'];
|
|
|
|
$events[] = [
|
|
'event_type' => AlertRule::EVENT_SLA_DUE,
|
|
'tenant_id' => $tenantId,
|
|
'severity' => (string) ($summary['severity'] ?? Finding::SEVERITY_HIGH),
|
|
'fingerprint_key' => sprintf('sla_due:tenant:%d:window:%s', $tenantId, $windowFingerprint),
|
|
'title' => 'SLA due findings detected',
|
|
'body' => sprintf(
|
|
'%d open finding(s) are overdue (critical: %d, high: %d, medium: %d, low: %d).',
|
|
(int) $summary['overdue_total'],
|
|
(int) ($counts[Finding::SEVERITY_CRITICAL] ?? 0),
|
|
(int) ($counts[Finding::SEVERITY_HIGH] ?? 0),
|
|
(int) ($counts[Finding::SEVERITY_MEDIUM] ?? 0),
|
|
(int) ($counts[Finding::SEVERITY_LOW] ?? 0),
|
|
),
|
|
'metadata' => [
|
|
'overdue_total' => (int) $summary['overdue_total'],
|
|
'overdue_by_severity' => [
|
|
Finding::SEVERITY_CRITICAL => (int) ($counts[Finding::SEVERITY_CRITICAL] ?? 0),
|
|
Finding::SEVERITY_HIGH => (int) ($counts[Finding::SEVERITY_HIGH] ?? 0),
|
|
Finding::SEVERITY_MEDIUM => (int) ($counts[Finding::SEVERITY_MEDIUM] ?? 0),
|
|
Finding::SEVERITY_LOW => (int) ($counts[Finding::SEVERITY_LOW] ?? 0),
|
|
],
|
|
],
|
|
];
|
|
}
|
|
|
|
return $events;
|
|
}
|
|
|
|
private function firstFailureMessage(OperationRun $run, string $defaultMessage): string
|
|
{
|
|
$failures = is_array($run->failure_summary) ? $run->failure_summary : [];
|
|
|
|
foreach ($failures as $failure) {
|
|
if (! is_array($failure)) {
|
|
continue;
|
|
}
|
|
|
|
$message = trim((string) ($failure['message'] ?? ''));
|
|
|
|
if ($message !== '') {
|
|
return $message;
|
|
}
|
|
}
|
|
|
|
return $defaultMessage;
|
|
}
|
|
|
|
private function baselineAlertMinimumSeverity(int $workspaceId): string
|
|
{
|
|
$workspace = Workspace::query()->whereKey($workspaceId)->first();
|
|
|
|
if (! $workspace instanceof Workspace) {
|
|
return Finding::SEVERITY_HIGH;
|
|
}
|
|
|
|
try {
|
|
$value = app(SettingsResolver::class)->resolveValue(
|
|
workspace: $workspace,
|
|
domain: 'baseline',
|
|
key: 'alert_min_severity',
|
|
);
|
|
} catch (\InvalidArgumentException) {
|
|
return Finding::SEVERITY_HIGH;
|
|
}
|
|
|
|
$severity = strtolower(trim((string) $value));
|
|
|
|
return array_key_exists($severity, $this->severityRank())
|
|
? $severity
|
|
: Finding::SEVERITY_HIGH;
|
|
}
|
|
|
|
private function meetsMinimumSeverity(string $eventSeverity, string $minimumSeverity): bool
|
|
{
|
|
$rank = $this->severityRank();
|
|
|
|
return ($rank[$eventSeverity] ?? 0) >= ($rank[$minimumSeverity] ?? 0);
|
|
}
|
|
|
|
/**
|
|
* @return array<string, int>
|
|
*/
|
|
private function severityRank(): array
|
|
{
|
|
return [
|
|
Finding::SEVERITY_LOW => 1,
|
|
Finding::SEVERITY_MEDIUM => 2,
|
|
Finding::SEVERITY_HIGH => 3,
|
|
Finding::SEVERITY_CRITICAL => 4,
|
|
];
|
|
}
|
|
|
|
private function sanitizeErrorMessage(Throwable $exception): string
|
|
{
|
|
$message = trim($exception->getMessage());
|
|
|
|
if ($message === '') {
|
|
return 'Unexpected alert evaluation error.';
|
|
}
|
|
|
|
$message = preg_replace('/https?:\/\/\S+/i', '[redacted-url]', $message) ?? $message;
|
|
|
|
return mb_substr($message, 0, 500);
|
|
}
|
|
|
|
/**
|
|
* @return array<int, array<string, mixed>>
|
|
*/
|
|
private function permissionMissingEvents(int $workspaceId, CarbonImmutable $windowStart): array
|
|
{
|
|
$findings = Finding::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
|
|
->whereIn('status', [Finding::STATUS_NEW, Finding::STATUS_REOPENED])
|
|
->where('updated_at', '>', $windowStart)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
$events = [];
|
|
|
|
foreach ($findings as $finding) {
|
|
$events[] = [
|
|
'event_type' => AlertRule::EVENT_PERMISSION_MISSING,
|
|
'tenant_id' => (int) $finding->tenant_id,
|
|
'severity' => (string) $finding->severity,
|
|
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
|
|
'title' => 'Missing permission detected',
|
|
'body' => sprintf(
|
|
'Permission "%s" is missing for tenant %d (severity: %s).',
|
|
(string) ($finding->evidence_jsonb['permission_key'] ?? $finding->subject_external_id ?? 'unknown'),
|
|
(int) $finding->tenant_id,
|
|
(string) $finding->severity,
|
|
),
|
|
'metadata' => [
|
|
'finding_id' => (int) $finding->getKey(),
|
|
'permission_key' => (string) ($finding->evidence_jsonb['permission_key'] ?? ''),
|
|
],
|
|
];
|
|
}
|
|
|
|
return $events;
|
|
}
|
|
|
|
/**
|
|
* @return array<int, array<string, mixed>>
|
|
*/
|
|
private function entraAdminRolesHighEvents(int $workspaceId, CarbonImmutable $windowStart): array
|
|
{
|
|
$findings = Finding::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
|
|
->whereIn('severity', [Finding::SEVERITY_HIGH, Finding::SEVERITY_CRITICAL])
|
|
->whereIn('status', [Finding::STATUS_NEW, Finding::STATUS_REOPENED])
|
|
->where('updated_at', '>', $windowStart)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
$events = [];
|
|
|
|
foreach ($findings as $finding) {
|
|
$evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
|
|
|
|
$events[] = [
|
|
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
|
|
'tenant_id' => (int) $finding->tenant_id,
|
|
'severity' => (string) $finding->severity,
|
|
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
|
|
'title' => 'High-privilege Entra admin role detected',
|
|
'body' => sprintf(
|
|
'Role "%s" assigned to %s (severity: %s).',
|
|
(string) ($evidence['role_display_name'] ?? 'unknown'),
|
|
(string) ($evidence['principal_display_name'] ?? $finding->subject_external_id ?? 'unknown'),
|
|
(string) $finding->severity,
|
|
),
|
|
'metadata' => [
|
|
'finding_id' => (int) $finding->getKey(),
|
|
'role_display_name' => (string) ($evidence['role_display_name'] ?? ''),
|
|
'principal_display_name' => (string) ($evidence['principal_display_name'] ?? ''),
|
|
],
|
|
];
|
|
}
|
|
|
|
return $events;
|
|
}
|
|
}
|