Skip to content

FEATURES.md

Latest commit

 

History

History
256 lines (247 loc) · 23.5 KB

FEATURES.md

File metadata and controls

256 lines (247 loc) · 23.5 KB

Castellan Features

Conversational AI Chat (v0.8.0)

  • Natural Language Queries - Ask questions about your security data in plain English
  • Context-Aware Responses - AI understands security context and provides relevant insights
  • Markdown Formatting - Rich text responses with code blocks, lists, and tables
  • Real-time Analysis - Query security events, patterns, and threats conversationally
  • Security Intelligence - Get threat summaries, risk assessments, and recommendations
  • Interactive Interface - Chat-based UI available in Tailwind Dashboard
  • Human-in-the-Loop Action Execution - Execute security actions directly from chat with confirmation dialogs
  • Multi-Turn Conversations - Database-backed conversation history with archiving and ratings
  • Smart Features - Citations to security events, suggested actions, follow-up questions

Action Execution System (v0.8.0)

  • Human-in-the-Loop Security Actions - Execute security actions with full rollback capability
  • Action Types - BlockIP, IsolateHost, QuarantineFile, AddToWatchlist, CreateTicket
  • Lifecycle Management - Suggested → Pending → Executed → RolledBack/Failed/Expired
  • State Capture - Automatic before/after state snapshots for reliable rollback operations
  • Execution Logs - Detailed audit trail with timestamps and user attribution
  • Confirmation Dialogs - User confirmation required before action execution
  • Rollback Windows - Configurable undo periods (1-72 hours) per action type
  • Action History - Complete action lifecycle tracking with filtering and search
  • Database Integration - Full persistence with foreign key relationships and transaction support

Intelligent Log Analysis

  • EventLogWatcher Real-time Collection - Interrupt-driven Windows Event Log monitoring with sub-second latency
  • Zero Event Loss - Bookmark-based persistence ensures no missed events across service restarts
  • Multi-Channel Support - Security, Sysmon, PowerShell, and Windows Defender event monitoring
  • AI-Powered Threat Analysis - LLM-based event classification with external threat intelligence
    • Multi-Model Ensemble (v0.7.0) - LLM factory pattern with support for parallel/sequential multi-model predictions for 20-30% accuracy improvement
      • Factory Pattern Architecture - ILlmClientFactory creates model-specific clients with full decorator chain (Base → Resilience → StrictJson → Telemetry)
      • Model Diversity - Supports calling multiple models (llama3.1, mistral, gemma2) with independent client instances
      • Voting Strategies - Majority voting (categorical fields), weighted voting, unanimous voting with configurable weights
      • Confidence Aggregation - Mean, median, min, max, weighted_mean strategies for numerical field aggregation
      • Graceful Degradation - Multi-level fallback when models fail or don't reach quorum (MinimumQuorum 2-3)
      • Statistics Tracking - Monitors model performance, success rates, failure counts, and response times per model
      • Parallel/Sequential Execution - Configurable execution mode with timeout controls for performance optimization
      • Provider Support - Works with both Ollama (local) and OpenAI providers with provider-specific configurations
    • Embedding Cache (v0.7.0) - Hash-keyed LRU cache reduces embedding API calls by 30-70% with SHA256-based keys and stampede prevention
    • Polly Resilience Patterns (v0.7.0) - Retry with exponential backoff, circuit breaker, and timeout for zero cascading failures and 97%+ reliability
    • Layered Decorator Architecture - Composable enhancements: Base → Resilience → Cache with independent feature flags
    • Graceful Degradation - Failed AI calls return empty results instead of crashing the pipeline
    • Statistics APIs - Monitoring endpoints for cache hit rates, circuit breaker status, retry metrics, and ensemble performance
  • Vector Search - Semantic similarity search using Qdrant vector database for correlation
  • Advanced Correlation Engine - Background intelligence system with ML.NET-powered pattern detection
  • File Threat Scanning - Real-time malware detection with VirusTotal integration and local heuristics
  • MITRE ATT&CK Integration - 800+ techniques with configuration management and import functionality

Security Detection

  • Anomaly Detection - Machine learning-based behavioral analysis with vector similarity
  • Automated Response - Real-time threat response with configurable actions and escalation
  • MITRE ATT&CK Mapping - Automatic threat technique classification with 800+ techniques
  • Security Event Rules Management - Database-backed detection rules with web UI (v0.7.0)
    • Rule Storage - EF Core-backed rule store with 15-minute in-memory caching
    • Full CRUD API - Complete REST API at /api/security-event-rules with role-based access
    • Web Interface - Tailwind Dashboard UI positioned under "Security Events" in navigation
    • Rule Properties - EventId, Channel, EventType, RiskLevel, Confidence, Summary, MITRE Techniques, Recommended Actions, Priority, Tags
    • Flexible Filtering - Query by enabled status, event ID, or channel for targeted rule retrieval
    • Cache Management - Automatic cache refresh on modifications with manual refresh endpoint
    • Real-time Integration - Used by SecurityEventDetector for live event analysis and enrichment
  • YARA Real-time Malware Detection - Complete signature-based malware detection system with dnYara 2.1.0 library
  • YARA Configuration Management - Advanced rule source management with automatic updates
    • Editable Rule Sources - Dynamic add/remove functionality for malware detection rule source URLs
    • Source URL Management - Text field interface for configuring malware signature sources
    • Auto-Update Configuration - Configurable frequency (1-365 days) with DailyRefreshHostedService
    • Real Import Processing - Actual rule import with deduplication via UPSERT logic
    • Database Consolidation - Single centralized database at /data/castellan.db
    • Rule Deduplication - Automatic prevention of duplicate rules using ON CONFLICT(Name) DO UPDATE
    • Performance Preservation - Hit counts, metrics, and user preferences maintained across updates
    • Database-Level Pagination - 70-80% faster malware detection rule loading (1-3s vs 7-10s)
  • Tailwind Dashboard Interface - Complete web UI for rule management and match analysis
  • Full CRUD Operations - REST API and web interface for all rule operations
  • Performance Metrics - Thread-safe scanning with execution time tracking
  • Match History - Complete audit trail with detailed forensic analysis
  • Advanced Filtering - Category-based organization with color-coded threat levels
  • Tier 1 Threat Intelligence - Fully operational VirusTotal, MalwareBazaar, and AlienVault OTX integration for enhanced malware detection
  • IP Reputation & Geolocation - MaxMind GeoLite2 database integration with automated downloads, real IP geolocation, ASN data, and secure HTTP Basic Authentication

Monitoring & Analysis

  • Advanced Search & Filtering - Comprehensive security event search system with complete v0.5.0 implementation
    • Enhanced Search Interface - Advanced search drawer with collapsible sections and intuitive controls
    • Multi-Criteria Filtering - Date ranges, risk levels, event types, MITRE ATT&CK techniques, machines, users, sources
    • Full-Text Search - High-performance SQLite FTS5 with exact match and fuzzy search options
    • MITRE Technique Filtering - 25+ common security techniques organized by tactic categories with multi-select
    • Numeric Range Filters - Confidence, correlation, burst, and anomaly score filtering with dual sliders
    • URL Synchronization - Bookmarkable and shareable search states with persistent filters and real-time URL updates
    • Search History - Recently used search queries with quick access and one-click reapplication
    • Saved Searches - Bookmark frequently used search configurations with custom names and descriptions
    • Search Management - Full CRUD operations for saved searches with backend persistence
    • Real-time Results - Search summaries with performance metrics, result counts, and loading states
    • Export Integration - Direct CSV, JSON, XLSX export from filtered results with applied search criteria
    • Professional UI - Responsive Material-UI drawer interface with accordion sections and error handling
  • Real-time Dashboard with Data Consolidation - Single SignalR stream replaces 4+ REST API calls with 80%+ faster load times
  • Live System Monitoring - Real-time system health, performance metrics, and threat intelligence status via SignalR WebSocket
  • Dashboard Performance Optimization - Consolidated dashboard data delivery every 30 seconds with automatic fallback to REST API
  • Enhanced Performance Dashboard - Full-stack monitoring with 7 API endpoints, real-time charts, and configurable alerts
  • Threat Intelligence Health Dashboard - Comprehensive service health monitoring for VirusTotal, MalwareBazaar, and OTX
  • Timeline Visualization - Interactive security event timeline analysis
    • Granular Time Controls - Minute, hour, day, week, month granularity selection
    • Date Range Filtering - Precise datetime selection with native browser controls
    • Real-time Data Refresh - Loading states with manual and automatic refresh options
    • Summary Statistics - Risk level breakdown and event type analysis
    • Responsive Design - Two-column layout with timeline chart and summary panels
    • API Integration - Timeline, events, heatmap, stats, and anomaly detection endpoints
  • Advanced Correlation Engine - Background intelligence system that enhances existing security workflows
    • Invisible Operation - Runs automatically via CorrelationBackgroundService without user intervention
    • Event Enhancement - Security events automatically enriched with correlation indicators and context
    • ML.NET Integration - K-means clustering with 8-feature vector analysis for pattern detection
    • Background Processing - Continuous analysis every 5 minutes with ML training every 24 hours
    • Risk Intelligence - Automatic risk level upgrades based on correlation types (attack chains, lateral movement)
    • Temporal Burst Detection - Identifies rapid event sequences from same source
    • Brute Force Attack Detection - Recognizes failed authentication patterns followed by success
    • Lateral Movement Detection - Tracks similar activities across multiple machines
    • Attack Chain Analysis - Sequential attack pattern recognition with MITRE ATT&CK mapping
    • Smart Notifications - Correlation-aware alerts with adaptive throttling and confidence filtering
    • API Access - Statistics and configuration endpoints for monitoring correlation performance
  • Threat Pattern Recognition - AI-powered identification of attack sequences with MITRE technique classification
  • Performance Monitoring - System health and security service status with real-time dashboards
  • Persistent Storage - 24-hour rolling window with automatic restart recovery
  • Application Data Management - SQLite database with FTS5 full-text search for enhanced performance, MITRE ATT&CK techniques, and unified security event storage

Notifications & Interface

  • Teams/Slack Integration - Real-time security alerts in Microsoft Teams and Slack channels
  • Customizable Notification Templates (v0.7.0) - Production-ready message templates with dynamic tag support
    • 8 Default Templates - 4 template types (SecurityEvent, SystemAlert, HealthWarning, PerformanceAlert) × 2 platforms (Teams, Slack)
    • Rich Formatting - Visual separators (━━━━━), organized sections with emoji headers (📋, 🖥️, 📊, 🎯, ✅)
    • Dynamic Tags - 15+ supported tags including {{DATE}}, {{HOST}}, {{USER}}, {{EVENT_ID}}, {{SEVERITY}}, {{SUMMARY}}, {{MITRE_TECHNIQUES}}, {{RECOMMENDED_ACTIONS}}
    • Formatting Tags - {{BOLD:text}}, {{LINK:url|text}} for platform-specific formatting
    • Template Management UI - Edit templates via Configuration → Notifications → Message Templates
    • Template Validation - Real-time syntax validation with error messages
    • Live Preview - Preview rendered templates with sample data
    • JSON Persistence - Templates stored at data/notification-templates.json
    • API Endpoints - Full CRUD REST API at /api/notification-templates
    • Auto-Creation - Templates created automatically on first Worker startup via TemplateInitializationService
  • Enhanced Performance Dashboard - Full-featured performance monitoring with real-time metrics, multi-timeframe analytics (1h-7d), and interactive charts
  • Threat Intelligence Health Dashboard - Service status monitoring with API rate limiting, cache efficiency, and automated alerting
  • Primary Tailwind Dashboard (Port 3000) - Modern security monitoring interface with instant page loads (v0.7.0)
    • Dashboard Overview - Real-time metrics including Open Events, Critical Threats, Malware Detection Rules, Threat Scans, Events/24h, System Status
    • Enhanced Security Events - Complete event list with machine, user, MITRE, correlation scores, and IP addresses
    • Security Event Detail - Full event information with rich context and related events
    • Timeline Visualization - Interactive security event timeline with 24-hour scope and granular analysis
    • MITRE ATT&CK Management - Browse, search, and import 800+ techniques with detail views
    • Malware Detection Rules Management - Enable/disable rules, import validation, and statistics
    • Threat Scanner Interface - Complete scanning interface with history, progress tracking, and scan controls
    • System Status Dashboard - Component health monitoring with auto-refresh and status indicators
    • Configuration Center - Multi-tab settings for Threat Intel, Notifications, IP Enrichment, YARA, MITRE, Threat Scanner
    • React Query Caching - 30min memory retention, 24h localStorage persistence for <50ms page loads
    • SignalR Real-time Updates - Live data streams for dashboard, events, and scan progress
    • Dark Mode Support - Complete dark theme implementation across all pages
    • Responsive Design - Mobile-friendly layouts with Tailwind CSS
  • Tailwind Dashboard Interface with Instant Page Loading (Port 8080 - Legacy) - Complete management system with all 11 admin pages fully operational and sub-150ms transitions:
    • Smart Preloading - Navigation pattern prediction with hover-based component loading
    • Enhanced Data Provider - Cache-first strategy with 90% faster data fetch times
    • Predictive Loading - 80%+ cache hit rate for predicted pages
    • Performance Optimization (v0.7.0) - 81% page load reduction (800ms → 150ms)
    • Component Memoization (v0.7.0) - 36 React components optimized with React.memo for 30-50% fewer re-renders
    • Virtual Scrolling (v0.7.0) - VirtualDatagrid handles 10,000+ rows with 60fps scrolling and <100ms render
    • Professional Card Layouts (v0.7.0) - Consistent, polished card-based show pages for Security Events, Malware Detection Rules, MITRE Techniques, and Security Event Rules
    • Database Connection Pooling (v0.7.0) - EF Core PooledDbContextFactory with automatic health monitoring for 20-30% latency reduction
    • Dashboard - Real-time security monitoring with consolidated SignalR data streaming
    • Security Events Management - List, view, edit security events with MITRE integration and real-time updates
    • Security Event Rules - Complete rule management interface with CRUD operations (v0.7.0)
    • MITRE ATT&CK Techniques - Browse and search 800+ techniques with statistics
    • Malware Detection Rules Management - Full CRUD operations with validation and performance tracking
    • YARA Matches Analysis - Detection history with forensic details and correlation
    • Timeline Visualization - Interactive security event timeline with granular time controls
    • System Status Monitoring - Component health with real-time indicators
    • Threat Scanner - Comprehensive malware scanning interface with real-time monitoring (v0.7.0)
      • On-Demand Scanning - Quick Scan (high-risk locations) and Full Scan (all drives) with async execution
      • Real-time Progress Tracking - Live scan progress with SignalR updates showing files scanned, directories, bytes processed
      • Scan History Table - Complete scan history with filtering by scan type, status, and risk level
      • SignalR Connection Status - Live/Offline indicator with automatic reconnection
      • Scan Details Modal - Comprehensive view of scan results with statistics, findings, and threat summaries
      • Scan Management - Cancel running scans, view progress, and track completion status
    • Threat Scanner Configuration - Complete scheduled scanning and exclusions management (v0.7.0)
      • Scheduled Scans - Configurable scan intervals (days/hours) with TimeSpan format support
      • Scan Scheduler Status - Real-time status showing last scan, next scan, and current operation
      • Quarantine Settings - Enable/disable quarantine with configurable directory for suspicious files
      • Performance Settings - Max concurrent files (1-100), max file size (1-1000 MB), notification threshold
      • Scan Exclusions - Directory and file extension exclusion management with add/remove interface
      • Auto-Refresh Status - Scanner status updates every 30 seconds for current state monitoring
    • Configuration Management - Teams/Slack webhook integration and system settings
    • Enhanced Menu System - Component preloading with MenuWithPreloading for instant navigation
    • Permission-Based Access Control - Role and permission-based menu visibility and page access
  • Configuration Management - Centralized configuration system with tabbed interface
    • Threat Intelligence Tab - VirusTotal, MalwareBazaar, AlienVault OTX configuration panels
    • IP Enrichment Tab - MaxMind GeoLite2 configuration with automated database downloads
    • YARA Configuration Tab - Advanced malware detection rule source management with editable URLs and auto-update settings
    • Notifications Tab - Teams and Slack webhook configuration with notification type controls
    • Secure API Key Management - Password-type fields with show/hide functionality for sensitive credentials
    • Real-time Validation - Rate limits (1-1000/min), cache TTL (1-1440min) validation with immediate feedback
    • Persistent Storage - Backend API storage with comprehensive error handling and secure credential storage
    • Security Features - No plaintext passwords in repository, JWT authentication, environment variable support
  • Data Export - Comprehensive data export system
    • Multiple Formats - CSV, JSON, PDF export with configurable field selection
    • Background Processing - Memory-efficient streaming for large datasets
    • Export Filtering - Apply security event filters to exported data
    • Progress Tracking - Real-time export status with download notifications
    • Export Statistics - Usage metrics and export history tracking
  • Real-time Web Dashboard - Live system monitoring with SignalR-powered updates and instant page loading
  • Instant Page Loading - Sub-150ms page transitions with intelligent preloading
    • Smart Preloading System - Network and memory-aware resource loading
    • Hover Preloading - Components and data load on menu hover
    • Predictive Loading - Navigation pattern learning and prediction
    • Cache-First Strategy - 80%+ cache hit rate for instant data display
    • Background Refresh - Stale data refreshed in background without blocking UI
    • Optimized Data Provider - Intelligent caching with resource-specific TTL (5s-5m)
    • Webpack Optimization - Prefetch hints for optimal chunk loading
  • Desktop Notifications - Real-time security alerts
  • WebSocket Integration - Real-time scan progress, system health, and threat intelligence status
  • Windows Native - Optimized for Windows Event Log collection and analysis
  • Local Deployment - No cloud dependencies, runs entirely on your local infrastructure

🔌 Comprehensive REST API

  • Complete API Coverage - 20+ controllers covering all system functionality
  • Authentication API - Login, refresh, logout, and token validation endpoints
  • Security Events API - Full CRUD operations with advanced search and filtering
  • Security Event Rules API - Complete rule management with caching and role-based access (v0.7.0)
  • Advanced Search APIs - Dedicated endpoints for search history and saved searches management
  • System Monitoring APIs - Performance metrics, system status, and health check endpoints
  • Configuration APIs - Threat intelligence, notifications, and IP enrichment configuration
  • Export APIs - Multi-format data export with background processing status
  • Timeline API - Historical analysis with heatmaps, statistics, and anomaly detection
  • YARA Management APIs - Complete malware detection rule and match management
  • YARA Configuration API - Advanced rule source management and auto-update configuration
  • MITRE ATT&CK API - 800+ technique browsing, import, and security event mapping with configuration tab
  • Threat Intelligence APIs - Health monitoring and configuration for multiple providers
  • IP Enrichment API - MaxMind database management and geolocation services
  • Threat Scanner APIs - Complete scanning interface and configuration (v0.7.0)
    • /api/threat-scanner - Scan history with pagination and filtering
    • /api/threat-scanner/progress - Real-time scan progress tracking
    • /api/threat-scanner/quick-scan - Start Quick Scan (async)
    • /api/threat-scanner/full-scan - Start Full Scan (async)
    • /api/threat-scanner/cancel - Cancel running scan
    • /api/scheduledscan/config - Scheduled scan configuration management
    • /api/scheduledscan/status - Scheduler status with next/last scan times
  • Consolidated Dashboard API - Single endpoint for all dashboard data (v0.7.0)
    • /api/dashboard/consolidated/{timeRange} - Comprehensive dashboard data including security events, system status, threat scanner metadata, YARA statistics, and recent activity
  • Notification Template APIs - Customizable message template management (v0.7.0)
    • GET /api/notification-templates - List all templates
    • GET /api/notification-templates/{id} - Get specific template
    • POST /api/notification-templates - Create new template (Admin only)
    • PUT /api/notification-templates/{id} - Update template (Admin only)
    • DELETE /api/notification-templates/{id} - Delete template (Admin only)
    • POST /api/notification-templates/validate - Validate template syntax
    • POST /api/notification-templates/preview - Preview rendered template with sample data

Enterprise Security

  • BCrypt Password Hashing - Industry-standard password security with configurable work factors
  • JWT Token Management - Secure refresh token rotation and server-side invalidation
  • Token Blacklisting - Real-time token revocation with automatic cleanup
  • Password Complexity Validation - Comprehensive password strength requirements
  • Audit Trail - Complete authentication event logging for security monitoring
  • Configuration Validation - Startup validation prevents deployment with invalid security settings
  • Error Handling - Consistent security error responses with correlation tracking