Feature/new event detector

.github/ISSUE_TEMPLATE/01_bug_report.md

@@ -0,0 +1,21 @@
+---
+name: 🐜 Bug report
+about: If something isn't working 🔧
+---
+
+### Subject of the issue
+Describe your issue here.
+
+### Your environment
+* Version of detectmate
+* Version of python
+* Docker or manual installation?
+
+### Steps to reproduce
+Tell us how to reproduce this issue.
+
+### Expected behaviour
+Tell us what should happen
+
+### Actual behaviour
+Tell us what happens instead

.github/ISSUE_TEMPLATE/02_feature_request.md

@@ -0,0 +1,20 @@
+---
+name: 🚀 Feature request
+about: If you have a feature request 💡
+---
+
+**Context**
+
+What are you trying to do and how would you want to do it differently? Is it something you currently you cannot do? Is this related to an issue/problem?
+
+**Alternatives**
+
+Can you achieve the same result doing it in an alternative way? Is the alternative considerable?
+
+**Has the feature been requested before?**
+
+Please provide a link to the issue.
+
+**If the feature request is approved, would you be willing to submit a PR?**
+
+Yes / No _(Help can be provided if you need assistance submitting a PR)_

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

.github/pull_request_template.md

@@ -0,0 +1,19 @@
+# Task
+<!-- Please add link a relevant issue or task -->
+
+# Description
+<!-- Please include a summary of the change -->
+<!-- Any details that you think are important to review this PR? -->
+<!-- Are there other PRs related to this one? -->
+
+# How Has This Been Tested?
+<!-- Please describe how you tested your changes -->
+
+# Checklist
+<!-- Go over all the following points, and put an `x` in all the boxes that apply -->
+
+- [ ] This Pull-Request goes to the **development** branch.
+- [ ] I have successfully run prek locally.
+- [ ] I have added tests to cover my changes.
+- [ ] I have linked the issue-id to the task-description.
+- [ ] I have performed a self-review of my own code.

.gitignore

@@ -199,3 +199,6 @@ cython_debug/
 local/
 test.ipynb
 test.py
+
+# claude code
+CLAUDE.md

SECURITY.md

@@ -0,0 +1,32 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+| < 1.0.0   | :x:                |
+
+> [!IMPORTANT]
+> Currently DetectMateService is a work in progress and heavily under development. Possible vulnerabilities will not be treated any special and can be issued using [GitHub-Issues](https://github.com/ait-detectmate/DetectMateService/issues)
+
+## Reporting a Vulnerability
+
+Please email reports about any security related issues you find to aecid@ait.ac.at. This mail is delivered to a small developer team. Your email will be acknowledged within one business day, and you'll receive a more detailed response to your email within 7 days indicating the next steps in handling your report.
+
+Please use a descriptive subject line for your report email. After the initial reply to your report, our team will endeavor to keep you informed of the progress being made towards a fix and announcement.
+
+In addition, please include the following information along with your report:
+
+* Your name and affiliation (if any).
+* A description of the technical details of the vulnerabilities. It is very important to let us know how we can reproduce your findings.
+* An explanation who can exploit this vulnerability, and what they gain when doing so -- write an attack scenario. This will help us evaluate your report quickly, especially if the issue is complex.
+* Whether this vulnerability public or known to third parties. If it is, please provide details.
+* Whether we could mention your name in the changelogs.
+
+Once an issue is reported we use the following disclosure process:
+
+* When a report is received, we confirm the issue and determine its severity.
+* If we know of specific third-party services or software based on DetectMateService that require mitigation before publication, those projects will be notified.
+* Fixes are prepared for the last minor release of the latest major release.
+* Patch releases are published for all fixed released versions.

config/pipeline_config_default.yaml

@@ -68,8 +68,6 @@ detectors:
     NewValueComboDetector:
         method_type: new_value_combo_detector
         auto_config: False
-        params:
-            comb_size: 3
         events:
             1:
                 test:

docs/detectors.md

@@ -87,6 +87,7 @@ List of detectors:
 * [Random detector](detectors/random_detector.md): Generates random alerts.
 * [New Value](detectors/new_value.md): Detect new values in the variables in the logs.
 * [Combo Detector](detectors/combo.md): Detect new combination of variables in the logs.
+* [New Event](detectors/new_event.md): Detect new events in the variables in the logs.
 
 ## Configuration
 
@@ -192,7 +193,7 @@ The `set_configuration()` method queries the tracker results and generates the f
 def set_configuration(self):
     variables = {}
     for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
-        stable_vars = tracker.get_variables_by_classification("STABLE")
+        stable_vars = tracker.get_features_by_classification("STABLE")
         variables[event_id] = stable_vars
 
     config_dict = generate_detector_config(

docs/detectors/combo.md

@@ -18,7 +18,7 @@ detectors:
         method_type: new_value_combo_detector
         auto_config: False
         params:
-            comb_size: 3
+            max_combo_size: 3
         events:
             1:
                 test:

docs/detectors/new_event.md

@@ -0,0 +1,7 @@
+TODO PAGE
+
+TODO: new_event_detector
+TODO: test_new_event_detector
+- Tests need to be reworked, just copied from new_value_detector
+
+TODO: pipeline_config_Default.yaml

src/detectmatelibrary/common/_config/_compile.py

@@ -142,7 +142,7 @@ def generate_detector_config(
         detector_name: Name of the detector, used as the base instance_id.
         method_type: Type of detection method (e.g., "new_value_detector").
         **additional_params: Additional parameters for the detector's params
-            dict (e.g., comb_size=3).
+            dict (e.g., max_combo_size=3).
 
     Returns:
         Dictionary with structure compatible with detector config classes.
@@ -162,7 +162,7 @@ def generate_detector_config(
                 variable_selection={1: [("username", "src_ip"), ("var_0", "var_1")]},
                 detector_name="MyDetector",
                 method_type="new_value_combo_detector",
-                comb_size=2,
+                max_combo_size=2,
             )
     """
     var_pattern = re.compile(r"^var_(\d+)$")

src/detectmatelibrary/common/_config/_formats.py

@@ -6,16 +6,17 @@
 
 # Sub-formats ********************************************************+
 class Variable(BaseModel):
-    pos: int
-    name: str
+    pos: str | int
+    name: str = ""
     params: Dict[str, Any] = {}
 
     def to_dict(self) -> Dict[str, Any]:
         """Convert Variable to YAML-compatible dictionary."""
         result: Dict[str, Any] = {
             "pos": self.pos,
-            "name": self.name,
         }
+        if self.name:
+            result["name"] = self.name
         if self.params:
             result["params"] = self.params
         return result
@@ -38,7 +39,7 @@ def to_dict(self) -> Dict[str, Any]:
 class _EventInstance(BaseModel):
     """Configuration for a specific instance within an event."""
     params: Dict[str, Any] = {}
-    variables: Dict[int, Variable] = {}
+    variables: Dict[str | int, Variable] = {}
     header_variables: Dict[str, Header] = {}
 
     @classmethod
@@ -79,7 +80,7 @@ def _init(cls, instances_dict: Dict[str, Dict[str, Any]]) -> "_EventConfig":
         return cls(instances=instances)
 
     @property
-    def variables(self) -> Dict[int, Variable]:
+    def variables(self) -> Dict[str | int, Variable]:
         """Pass-through to first instance for compatibility."""
         if self.instances:
             return next(iter(self.instances.values())).variables

src/detectmatelibrary/common/_core_op/_fit_logic.py

@@ -74,6 +74,9 @@ def __init__(
         self._configuration_done = False
         self.config_finished = False
 
+        self._training_done = False
+        self.training_finished = False
+
         self.data_use_configure = data_use_configure
         self.data_use_training = data_use_training
 
@@ -84,6 +87,13 @@ def finish_config(self) -> bool:
 
         return False
 
+    def finish_training(self) -> bool:
+        if self._training_done and not self.training_finished:
+            self.training_finished = True
+            return True
+
+        return False
+
     def run(self) -> FitLogicState:
         if do_configure(
             data_use_configure=self.data_use_configure,
@@ -103,5 +113,7 @@ def run(self) -> FitLogicState:
             ):
                 self.data_used_train += 1
                 return FitLogicState.DO_TRAIN
+            elif self.data_used_train > 0 and not self._training_done:
+                self._training_done = True
 
         return FitLogicState.NOTHING

src/detectmatelibrary/common/core.py

@@ -54,6 +54,9 @@ def configure(
     def set_configuration(self) -> None:
         pass
 
+    def post_train(self) -> None:
+        pass
+
     def get_config(self) -> Dict[str, Any]:
         return self.config.get_config()
 
@@ -100,6 +103,9 @@ def process(self, data: BaseSchema | bytes) -> BaseSchema | bytes | None:
         if fit_state == FitLogicState.DO_TRAIN:
             logger.info(f"<<{self.name}>> use data for training")
             self.train(input_=data_buffered)
+        elif self.fitlogic.finish_training():
+            logger.info(f"<<{self.name}>> finalizing training")
+            self.post_train()
 
         output_ = self.output_schema()
         logger.info(f"<<{self.name}>> processing data")

src/detectmatelibrary/common/detector.py

@@ -3,13 +3,15 @@
 
 from detectmatelibrary.utils.data_buffer import ArgsBuffer, BufferMode
 from detectmatelibrary.utils.aux import get_timestamp
+from detectmatelibrary.utils.persistency.event_persistency import EventPersistency
 
 from detectmatelibrary.schemas import ParserSchema, DetectorSchema
 
 from typing_extensions import override
 from typing import Dict, List, Optional, Any
 
 from detectmatelibrary.utils.time_format_handler import TimeFormatHandler
+from tools.logging import logger
 
 
 _time_handler = TimeFormatHandler()
@@ -56,7 +58,7 @@ def get_configured_variables(
     # Extract template variables by position
     if hasattr(event_config, "variables"):
         for pos, var in event_config.variables.items():
-            if pos < len(input_["variables"]):
+            if isinstance(pos, int) and pos < len(input_["variables"]):
                 result[var.name] = input_["variables"][pos]
 
     # Extract header/log format variables by name
@@ -89,6 +91,45 @@ def get_global_variables(
     return result
 
 
+def validate_config_coverage(
+        detector_name: str,
+        config_events: EventsConfig | dict[str, Any],
+        persistency: EventPersistency,
+) -> None:
+    """Log warnings when configured EventIDs or variables have no training
+    data.
+
+    Args:
+        detector_name: Name of the detector (used in warning messages).
+        config_events: The detector's events configuration.
+        persistency: The persistency object populated during training.
+    """
+    config_ids = (
+        config_events.events.keys()
+        if isinstance(config_events, EventsConfig)
+        else config_events.keys()
+    )
+    if not config_ids:
+        return
+
+    events_seen = persistency.get_events_seen()
+    events_with_data = set(persistency.get_events_data().keys())
+
+    for event_id in config_ids:
+        if event_id not in events_seen:
+            logger.warning(
+                f"[{detector_name}] EventID {event_id!r} is configured but was "
+                "never observed in training data. Verify that EventIDs in your "
+                "config match those produced by the parser."
+            )
+        elif event_id not in events_with_data:
+            logger.warning(
+                f"[{detector_name}] EventID {event_id!r} was observed in training "
+                "data but no configured variables were extracted. Verify that "
+                "variable names/positions in your config match those in the data."
+            )
+
+
 class CoreDetectorConfig(CoreConfig):
     component_type: str = "detectors"
     method_type: str = "core_detector"
@@ -158,3 +199,7 @@ def configure(
     @override
     def set_configuration(self) -> None:
         pass
+
+    @override
+    def post_train(self) -> None:
+        pass

src/detectmatelibrary/detectors/__init__.py

@@ -1,10 +1,13 @@
 from .random_detector import RandomDetector, RandomDetectorConfig
 from .new_value_detector import NewValueDetector, NewValueDetectorConfig
+from .new_event_detector import NewEventDetector, NewEventDetectorConfig
 
 __all__ = [
     "random_detector",
     "RandomDetectorConfig",
     "NewValueDetector",
     "NewValueDetectorConfig",
-    "RandomDetector"
+    "RandomDetector",
+    "NewEventDetector",
+    "NewEventDetectorConfig"
 ]