Skip to content
monsys.ai

SMART correlations — joining the pipelines

The hub runs ~15 independent pipelines (alerts, CVE matching, kernel tracker, honeypot, integrity, detection rules, capacity, mTLS, …). Each pipeline by itself is useful; the joins between them are where the value compounds.

Shipped (mig 106 + mig 107)

1. Blast-radius CVE prioritisation

GET /api/v1/topology/exposure?map_id=...

Recursive BFS over topology_edges from every internet-facing node (node_type in {isp_uplink, cdn, load_balancer, waf} or tag public-facing). Per node, the hop-distance from the nearest internet entry. /recommendations re-ranks CVEs accordingly.

GET /api/v1/topology/node-impact/:node_id → list of compliance controls that depend on this node, with live evidence counts.

2. Capacity-as-CVE

CapacityPredictorWorker (1 h cadence) fits a linear regression (Postgres regr_slope + regr_intercept + regr_r2) on the past 30 d of disk metrics per (agent, mount_point); cert expiries within 60 d; EOL dates within 180 d. Emits predicted_capacity_findings consumed by /recommendations as capacity.disk_full / cert_expiry / eol_date.

3. Lateral-movement detection

LateralMovementWorker (60 s cadence) JOINs honeypot_events × auth_events for honeypot-trip + successful-SSH from a private IP within ±5 min. Emits detected_events rule_kind=lateral_movement_suspected (MITRE T1021 + T1078) with the full link between both events.

4. Compliance erosion alerts

ComplianceErosionWorker (daily) snapshots each control’s evidence count into compliance_evidence_history. When a control loses

50 % of its evidence vs the snapshot 7 days ago, an alert is raised in category='compliance.erosion'. Catches silently-stopped workers, key-rotation regressions, accidental deletions.

5. Owner-of-the-week report

GET /api/v1/reports/owner-workload?window=7d

Aggregates open alerts / CVEs / detections / capacity findings per topology_nodes.owner_email. Useful for MSPs and team leads to spot who’s drowning. window accepts 24h | 7d | 30d | 90d.

6. False-positive learning

GET /api/v1/detection/rules/flake-stats

Per detection rule: fires_30d, quick_ack_30d (acked in <5 min), flake_rate. When the rate is >50 % and there are ≥10 fires, an opinionated suggestion is returned (e.g. “verhoog threshold van 10 naar 25”). Operator-driven, no auto-tuning.

7. Centrality-weighted Trust Score

CentralityRefreshWorker (hourly) walks each tenant’s topology graph and computes betweenness centrality with Brandes’ algorithm. Cached in topology_node_centrality. The tenant-aggregate Trust Score weighs each agent’s score by (1 + centrality), so chokepoint nodes count up to 2× a leaf node. Single-point-of-failure pressure is now visible in one number.

8. AI Explain → linked actions

ai_explain_grounding.action_hints JSONB column. Per grounding row, the operator gets one-click buttons in the explain modal — open the relevant dashboard view, or jump into the emergency console pre-filled with the right EAT kind. {agent_id} placeholders are substituted client-side. Seeded examples:

  • CVE (application) → Open recommendations · Open application CVE list
  • Kernel-CVE → Open kernel-CVE pipeline · Schedule kernel update batch
  • PinTheft detection → Trigger pintheft_mitigate EAT
  • Brute-force detection → IsolateNetwork EAT
  • mTLS CN mismatch → Rotate agent token · Reissue cert

9. Time-machine diff

GET /api/v1/time-machine/diff?agent_id=&from=&to=

Pairwise diff between the two inventory_snapshots closest to the from / to timestamps. Returns packages added / removed / upgraded, services added / removed, kernel / hostname / os deltas. One call = the “what changed between Mon and Fri” forensic timeline.

Operational notes

WorkerCadenceIdempotent?
CapacityPredictorWorker1 hyes — UPSERT on (tenant, agent, kind, subject)
LateralMovementWorker60 sdedup window 24 h per (hp_agent, ssh_agent)
ComplianceErosionWorker24 hsnapshot is append-only; alert dedup 7 d
CentralityRefreshWorker1 hfull overwrite per tenant

All workers cold-start with a 2-5 min delay so the hub can finish boot before the first heavy queries fire.