-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathschema.sql
More file actions
351 lines (299 loc) · 12.7 KB
/
schema.sql
File metadata and controls
351 lines (299 loc) · 12.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
-- Proxilion MCP Security Gateway - PostgreSQL Schema
--
-- This schema stores analytics, audit logs, and threat intelligence
-- for the Proxilion MCP Security Gateway.
--
-- Usage: Automatically loaded by docker-compose.yml on first start
-- ============================================================================
-- Sessions Table - Track all active and historical sessions
-- ============================================================================
CREATE TABLE IF NOT EXISTS sessions (
-- Identifiers
session_id VARCHAR(255) PRIMARY KEY,
user_id VARCHAR(255) NOT NULL,
org_id VARCHAR(255),
-- Timestamps
created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
last_activity TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
terminated_at TIMESTAMP,
-- Session stats
total_requests INTEGER NOT NULL DEFAULT 0,
blocked_requests INTEGER NOT NULL DEFAULT 0,
alerted_requests INTEGER NOT NULL DEFAULT 0,
max_threat_score DECIMAL(5,2) NOT NULL DEFAULT 0.0,
-- Status
status VARCHAR(50) NOT NULL DEFAULT 'active',
termination_reason TEXT,
-- Indexes for fast lookups
CONSTRAINT sessions_status_check CHECK (status IN ('active', 'terminated', 'expired'))
);
CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id);
CREATE INDEX IF NOT EXISTS idx_sessions_org_id ON sessions(org_id);
CREATE INDEX IF NOT EXISTS idx_sessions_created_at ON sessions(created_at);
CREATE INDEX IF NOT EXISTS idx_sessions_status ON sessions(status);
-- ============================================================================
-- Events Table - All analyzed tool calls (full audit log)
-- ============================================================================
CREATE TABLE IF NOT EXISTS events (
-- Identifiers
event_id BIGSERIAL PRIMARY KEY,
session_id VARCHAR(255) NOT NULL REFERENCES sessions(session_id) ON DELETE CASCADE,
user_id VARCHAR(255) NOT NULL,
-- Timestamp
timestamp TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-- Tool call details
tool_type VARCHAR(100) NOT NULL,
command TEXT,
args JSONB,
full_tool_call JSONB NOT NULL,
-- Analysis results
threat_score DECIMAL(5,2) NOT NULL,
decision VARCHAR(50) NOT NULL,
patterns_detected TEXT[],
analyzer_results JSONB,
-- Semantic analysis (if used)
semantic_analysis_used BOOLEAN NOT NULL DEFAULT false,
semantic_risk_boost DECIMAL(5,2),
semantic_reasoning TEXT,
-- Action taken
was_blocked BOOLEAN NOT NULL DEFAULT false,
was_alerted BOOLEAN NOT NULL DEFAULT false,
CONSTRAINT events_decision_check CHECK (decision IN ('Allow', 'Alert', 'Block', 'Terminate'))
);
CREATE INDEX IF NOT EXISTS idx_events_session_id ON events(session_id);
CREATE INDEX IF NOT EXISTS idx_events_user_id ON events(user_id);
CREATE INDEX IF NOT EXISTS idx_events_timestamp ON events(timestamp);
CREATE INDEX IF NOT EXISTS idx_events_threat_score ON events(threat_score);
CREATE INDEX IF NOT EXISTS idx_events_decision ON events(decision);
CREATE INDEX IF NOT EXISTS idx_events_tool_type ON events(tool_type);
CREATE INDEX IF NOT EXISTS idx_events_blocked ON events(was_blocked);
-- ============================================================================
-- Threats Table - Only events with threat_score >= 50 (deduplicated view)
-- ============================================================================
CREATE TABLE IF NOT EXISTS threats (
threat_id BIGSERIAL PRIMARY KEY,
event_id BIGINT NOT NULL REFERENCES events(event_id) ON DELETE CASCADE,
session_id VARCHAR(255) NOT NULL REFERENCES sessions(session_id) ON DELETE CASCADE,
user_id VARCHAR(255) NOT NULL,
-- Timestamp
detected_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-- Threat details
threat_score DECIMAL(5,2) NOT NULL,
threat_category VARCHAR(100),
primary_pattern TEXT NOT NULL,
all_patterns TEXT[],
-- Context
command_summary TEXT NOT NULL,
attack_phase VARCHAR(100),
CONSTRAINT threats_score_check CHECK (threat_score >= 50.0)
);
CREATE INDEX IF NOT EXISTS idx_threats_session_id ON threats(session_id);
CREATE INDEX IF NOT EXISTS idx_threats_user_id ON threats(user_id);
CREATE INDEX IF NOT EXISTS idx_threats_detected_at ON threats(detected_at);
CREATE INDEX IF NOT EXISTS idx_threats_score ON threats(threat_score);
CREATE INDEX IF NOT EXISTS idx_threats_category ON threats(threat_category);
-- ============================================================================
-- Blocks Table - Blocked requests (threat_score >= 70)
-- ============================================================================
CREATE TABLE IF NOT EXISTS blocks (
block_id BIGSERIAL PRIMARY KEY,
event_id BIGINT NOT NULL REFERENCES events(event_id) ON DELETE CASCADE,
session_id VARCHAR(255) NOT NULL REFERENCES sessions(session_id) ON DELETE CASCADE,
user_id VARCHAR(255) NOT NULL,
-- Timestamp
blocked_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-- Block details
threat_score DECIMAL(5,2) NOT NULL,
block_reason TEXT NOT NULL,
patterns TEXT[],
-- Tool call that was blocked
blocked_command TEXT NOT NULL,
CONSTRAINT blocks_score_check CHECK (threat_score >= 70.0)
);
CREATE INDEX IF NOT EXISTS idx_blocks_session_id ON blocks(session_id);
CREATE INDEX IF NOT EXISTS idx_blocks_user_id ON blocks(user_id);
CREATE INDEX IF NOT EXISTS idx_blocks_blocked_at ON blocks(blocked_at);
CREATE INDEX IF NOT EXISTS idx_blocks_score ON blocks(threat_score);
-- ============================================================================
-- Terminations Table - Terminated sessions (threat_score >= 90)
-- ============================================================================
CREATE TABLE IF NOT EXISTS terminations (
termination_id BIGSERIAL PRIMARY KEY,
session_id VARCHAR(255) NOT NULL REFERENCES sessions(session_id) ON DELETE CASCADE,
user_id VARCHAR(255) NOT NULL,
org_id VARCHAR(255),
-- Timestamp
terminated_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-- Termination details
trigger_event_id BIGINT REFERENCES events(event_id) ON DELETE SET NULL,
final_threat_score DECIMAL(5,2) NOT NULL,
termination_reason TEXT NOT NULL,
-- Session context at termination
total_requests INTEGER NOT NULL,
blocked_requests INTEGER NOT NULL,
attack_phases TEXT[],
CONSTRAINT terminations_score_check CHECK (final_threat_score >= 90.0)
);
CREATE INDEX IF NOT EXISTS idx_terminations_user_id ON terminations(user_id);
CREATE INDEX IF NOT EXISTS idx_terminations_org_id ON terminations(org_id);
CREATE INDEX IF NOT EXISTS idx_terminations_terminated_at ON terminations(terminated_at);
-- ============================================================================
-- API Usage Table - Track Claude API usage and costs
-- ============================================================================
CREATE TABLE IF NOT EXISTS api_usage (
usage_id BIGSERIAL PRIMARY KEY,
event_id BIGINT REFERENCES events(event_id) ON DELETE SET NULL,
session_id VARCHAR(255),
user_id VARCHAR(255) NOT NULL,
-- Timestamp
timestamp TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-- API details
api_provider VARCHAR(50) NOT NULL DEFAULT 'anthropic',
model_used VARCHAR(100) NOT NULL,
prompt_tokens INTEGER NOT NULL,
completion_tokens INTEGER NOT NULL,
total_tokens INTEGER NOT NULL,
-- Cost tracking (in USD)
estimated_cost DECIMAL(10,6) NOT NULL,
-- Request details
request_type VARCHAR(50) NOT NULL DEFAULT 'semantic_analysis',
cache_hit BOOLEAN NOT NULL DEFAULT false
);
CREATE INDEX IF NOT EXISTS idx_api_usage_user_id ON api_usage(user_id);
CREATE INDEX IF NOT EXISTS idx_api_usage_timestamp ON api_usage(timestamp);
CREATE INDEX IF NOT EXISTS idx_api_usage_model ON api_usage(model_used);
-- ============================================================================
-- Statistics Views for Dashboard
-- ============================================================================
-- Daily threat statistics
CREATE OR REPLACE VIEW daily_threat_stats AS
SELECT
DATE(timestamp) as date,
COUNT(*) as total_requests,
COUNT(*) FILTER (WHERE threat_score >= 50) as threats_detected,
COUNT(*) FILTER (WHERE was_blocked) as blocked_requests,
AVG(threat_score) as avg_threat_score,
MAX(threat_score) as max_threat_score
FROM events
GROUP BY DATE(timestamp)
ORDER BY date DESC;
-- Hourly threat statistics (last 48 hours)
CREATE OR REPLACE VIEW hourly_threat_stats AS
SELECT
DATE_TRUNC('hour', timestamp) as hour,
COUNT(*) as total_requests,
COUNT(*) FILTER (WHERE threat_score >= 50) as threats_detected,
COUNT(*) FILTER (WHERE was_blocked) as blocked_requests,
AVG(threat_score) as avg_threat_score
FROM events
WHERE timestamp >= NOW() - INTERVAL '48 hours'
GROUP BY DATE_TRUNC('hour', timestamp)
ORDER BY hour DESC;
-- Top threat patterns (last 7 days)
CREATE OR REPLACE VIEW top_threat_patterns AS
SELECT
unnest(patterns_detected) as pattern,
COUNT(*) as occurrences,
AVG(threat_score) as avg_threat_score
FROM events
WHERE timestamp >= NOW() - INTERVAL '7 days'
AND threat_score >= 50
GROUP BY pattern
ORDER BY occurrences DESC
LIMIT 50;
-- Most targeted users
CREATE OR REPLACE VIEW targeted_users AS
SELECT
user_id,
COUNT(*) as total_requests,
COUNT(*) FILTER (WHERE threat_score >= 50) as threats_detected,
COUNT(*) FILTER (WHERE was_blocked) as blocked_requests,
AVG(threat_score) as avg_threat_score,
MAX(threat_score) as max_threat_score
FROM events
WHERE timestamp >= NOW() - INTERVAL '7 days'
GROUP BY user_id
HAVING COUNT(*) FILTER (WHERE threat_score >= 50) > 0
ORDER BY threats_detected DESC
LIMIT 100;
-- Claude API cost tracking (last 30 days)
CREATE OR REPLACE VIEW api_cost_summary AS
SELECT
DATE(timestamp) as date,
api_provider,
model_used,
COUNT(*) as total_calls,
COUNT(*) FILTER (WHERE cache_hit) as cache_hits,
SUM(total_tokens) as total_tokens,
SUM(estimated_cost) as total_cost
FROM api_usage
WHERE timestamp >= NOW() - INTERVAL '30 days'
GROUP BY DATE(timestamp), api_provider, model_used
ORDER BY date DESC, total_cost DESC;
-- ============================================================================
-- Helper Functions
-- ============================================================================
-- Function to clean up old events (retention policy)
CREATE OR REPLACE FUNCTION cleanup_old_events(retention_days INTEGER DEFAULT 90)
RETURNS INTEGER AS $$
DECLARE
deleted_count INTEGER;
BEGIN
DELETE FROM events
WHERE timestamp < NOW() - (retention_days || ' days')::INTERVAL;
GET DIAGNOSTICS deleted_count = ROW_COUNT;
RETURN deleted_count;
END;
$$ LANGUAGE plpgsql;
-- Function to get session summary
CREATE OR REPLACE FUNCTION get_session_summary(p_session_id VARCHAR(255))
RETURNS TABLE (
session_id VARCHAR(255),
user_id VARCHAR(255),
total_requests INTEGER,
threats_detected INTEGER,
blocked_requests INTEGER,
max_threat_score DECIMAL(5,2),
top_patterns TEXT[]
) AS $$
BEGIN
RETURN QUERY
SELECT
s.session_id,
s.user_id,
s.total_requests,
s.alerted_requests as threats_detected,
s.blocked_requests,
s.max_threat_score,
ARRAY(
SELECT DISTINCT unnest(e.patterns_detected)
FROM events e
WHERE e.session_id = p_session_id
AND e.threat_score >= 50
LIMIT 10
) as top_patterns
FROM sessions s
WHERE s.session_id = p_session_id;
END;
$$ LANGUAGE plpgsql;
-- ============================================================================
-- Initial Data / Comments
-- ============================================================================
COMMENT ON TABLE sessions IS 'Tracks all user sessions with statistics and status';
COMMENT ON TABLE events IS 'Complete audit log of all analyzed tool calls';
COMMENT ON TABLE threats IS 'Detected threats (score >= 50) for quick analysis';
COMMENT ON TABLE blocks IS 'Blocked requests (score >= 70) for security review';
COMMENT ON TABLE terminations IS 'Terminated sessions (score >= 90) for incident response';
COMMENT ON TABLE api_usage IS 'Claude API usage tracking for cost monitoring';
-- Grant permissions to proxilion user
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO proxilion;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO proxilion;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO proxilion;
-- Success message
DO $$
BEGIN
RAISE NOTICE 'Proxilion schema created successfully!';
RAISE NOTICE 'Tables: sessions, events, threats, blocks, terminations, api_usage';
RAISE NOTICE 'Views: daily_threat_stats, hourly_threat_stats, top_threat_patterns, targeted_users, api_cost_summary';
RAISE NOTICE 'Functions: cleanup_old_events(), get_session_summary()';
END $$;