SIEM→Rogue-Device Bridge

Status

Implemented. Branch feature/siem-rogue-bridge.

Taskboard OP-D088 (this feature); builds on OP-D007 (unauthorized device detection) and OP-011 (unmanaged detection / rule_evaluation).
Cross-pillar SIEM↔RMM↔Compliance demo: an unmanaged host that appears in a log is surfaced as an unauthorized device with an auditor-visible evidence trail.

Problem Statement

Rogue-device detection previously required an asset.discovered/device.discovered signal from the asset pipeline. A host that only ever appears in logs (e.g. an unmanaged laptop authenticating against a managed endpoint) was never flagged.

Architectural Intent

Bridge, don't duplicate. The SIEM normalize path emits the existing device.discovered event for an unknown source host and feeds it through the existing ingest_event → evaluate_rules (unknown_device_v1) → alert → delivery → evidence → auditor chain. No new event type, table, rule, or API.

What Was Implemented

bridge_rogue_device_from_log in log_service.py, called from process_received_log_event after create_security_alerts_for_event:

Trigger: normalized category == "authentication" and a source.ip is present in the structured fields.
Emits device.discovered (device_id/observed_ip = the source IP, hostname from source.domain/host.name/IP, deterministic fingerprint) and feeds it to ingest_event, appending any resulting alerts to the normalize result.
Idempotent per (tenant, IP): event_id = uuid5("device.discovered", tenant, ip), so repeated logs for the same host raise exactly one alert (deduped by existing_ingest_result).

Components Involved

poc/ingest_api/log_service.py (bridge_rogue_device_from_log, wiring)
Reused: ingest_service.ingest_event, rule_evaluation.evaluate_rules (unknown_device_v1)
scripts/ship_auth_log_demo.py (demo log shipper)

APIs / Events / Schemas

No new API or event. Emits the existing device.discovered (v1) and reuses the existing alert/evidence schemas. (make validate-contracts unchanged.)

Deployment Notes

Platform-only change; no migration. Ship sshd auth logs (with source.ip) to POST /api/v1/logs/ingest. The bundled shipper does this for the demo.

Security / Tenant Isolation

The discovery event and the resulting alert are tenant-scoped; the deterministic event_id includes tenant_id, so the same IP in two tenants yields two independent alerts. Approved devices (approved_inventory.device_id == ip) are suppressed by the existing rule.

Validation Steps

API Validation

# create a log source, then:
python scripts/ship_auth_log_demo.py --api-base <url> --token <jwt> \
  --source-id <log_source_id> --source-ip 198.51.100.5 --hostname rogue-laptop
# -> a critical "Unauthorized device detected" alert appears for 198.51.100.5

Smoke / Tests

tests/test_siem_runtime.py: unknown-host flags rogue, idempotent-per-IP, approved-device suppression, non-authentication suppression (category gate), tenant isolation.

Known Limitations

Heuristic: fires on any unknown source.ip in an authentication log. In a noisy environment this can over-flag (e.g. legitimate external clients).
Detection is per-IP; it does not yet correlate the IP to a known asset's addresses.

Follow-Up Work

Allowlists / CIDR exclusions and correlation to known asset IPs to cut false positives.
Extend beyond authentication to other host-revealing categories as needed.

Acceptance Criteria Mapping

OP-D088 — a log naming an unknown host produces an auditor-visible unauthorized-device alert via the existing detection chain, deduped per host. Satisfied by the bridge + the five DoD tests above.

Status​

Related Requirements​

Problem Statement​

Architectural Intent​

What Was Implemented​

Components Involved​

APIs / Events / Schemas​

Deployment Notes​

Security / Tenant Isolation​

Validation Steps​

API Validation​

Smoke / Tests​

Known Limitations​

Follow-Up Work​

Acceptance Criteria Mapping​