gomcp/internal/application/shadow_ai/correlation.go

// Copyright 2026 Syntrex Lab. All rights reserved.
// Use of this source code is governed by an Apache-2.0 license
// that can be found in the LICENSE file.

package shadow_ai

import (
	"time"

	domsoc "github.com/syntrex-lab/gomcp/internal/domain/soc"
)

// ShadowAICorrelationRules returns SOC correlation rules specific to Shadow AI
// detection. These integrate into the existing SOC correlation engine.
func ShadowAICorrelationRules() []domsoc.SOCCorrelationRule {
	return []domsoc.SOCCorrelationRule{
		{
			ID:                 "SAI-CR-001",
			Name:               "Multi-Service Shadow AI",
			RequiredCategories: []string{"shadow_ai_usage"},
			MinEvents:          3,
			TimeWindow:         10 * time.Minute,
			Severity:           domsoc.SeverityHigh,
			KillChainPhase:     "Reconnaissance",
			MITREMapping:       []string{"T1595"},
			Description:        "User accessing 3+ distinct AI services within 10 minutes. Indicates active AI tool exploration or data shopping across providers.",
		},
		{
			ID:                 "SAI-CR-002",
			Name:               "Shadow AI + Data Exfiltration",
			RequiredCategories: []string{"shadow_ai_usage", "exfiltration"},
			MinEvents:          2,
			TimeWindow:         15 * time.Minute,
			Severity:           domsoc.SeverityCritical,
			KillChainPhase:     "Exfiltration",
			MITREMapping:       []string{"T1041", "T1567"},
			Description:        "Shadow AI usage followed by data exfiltration attempt. Possible corporate data leakage via unauthorized AI services.",
		},
		{
			ID:                 "SAI-CR-003",
			Name:               "Shadow AI Volume Spike",
			RequiredCategories: []string{"shadow_ai_usage"},
			MinEvents:          10,
			TimeWindow:         1 * time.Hour,
			Severity:           domsoc.SeverityHigh,
			KillChainPhase:     "Actions on Objectives",
			MITREMapping:       []string{"T1048"},
			Description:        "10+ shadow AI events from same source within 1 hour. Indicates bulk data transfer to external AI service.",
		},
		{
			ID:                 "SAI-CR-004",
			Name:               "Shadow AI After Hours",
			RequiredCategories: []string{"shadow_ai_usage"},
			MinEvents:          2,
			TimeWindow:         30 * time.Minute,
			Severity:           domsoc.SeverityMedium,
			KillChainPhase:     "Persistence",
			MITREMapping:       []string{"T1053"},
			Description:        "Shadow AI usage outside business hours (detected via timestamp clustering). May indicate automated scripts or insider threat.",
		},
		{
			ID:                 "SAI-CR-005",
			Name:               "Integration Failure Chain",
			RequiredCategories: []string{"integration_health"},
			MinEvents:          3,
			TimeWindow:         5 * time.Minute,
			Severity:           domsoc.SeverityCritical,
			KillChainPhase:     "Defense Evasion",
			MITREMapping:       []string{"T1562"},
			Description:        "3+ integration health failures in 5 minutes. Possible attack on enforcement infrastructure to blind Shadow AI detection.",
		},
		{
			ID:                 "SAI-CR-006",
			Name:               "Shadow AI + PII Leak",
			RequiredCategories: []string{"shadow_ai_usage", "pii_leak"},
			MinEvents:          2,
			TimeWindow:         10 * time.Minute,
			Severity:           domsoc.SeverityCritical,
			KillChainPhase:     "Exfiltration",
			MITREMapping:       []string{"T1567.002"},
			Description:        "Shadow AI usage combined with PII leak detection. GDPR/regulatory violation in progress — immediate response required.",
		},
		{
			ID:                 "SAI-CR-007",
			Name:               "Shadow AI Evasion Attempt",
			SequenceCategories: []string{"shadow_ai_usage", "evasion"},
			MinEvents:          2,
			TimeWindow:         10 * time.Minute,
			Severity:           domsoc.SeverityHigh,
			KillChainPhase:     "Defense Evasion",
			MITREMapping:       []string{"T1090", "T1573"},
			Description:        "Shadow AI usage followed by evasion technique (VPN, proxy chaining, encoding). User attempting to bypass detection.",
		},
		{
			ID:                 "SAI-CR-008",
			Name:               "Cross-Department AI Usage",
			RequiredCategories: []string{"shadow_ai_usage"},
			MinEvents:          5,
			TimeWindow:         30 * time.Minute,
			Severity:           domsoc.SeverityMedium,
			CrossSensor:        true,
			KillChainPhase:     "Lateral Movement",
			MITREMapping:       []string{"T1021"},
			Description:        "Shadow AI events from 5+ distinct network segments/sensors within 30 minutes. Indicates coordinated policy circumvention or compromised credentials used across departments.",
		},
		// Severity trend: escalating shadow AI event severity
		{
			ID:             "SAI-CR-009",
			Name:           "Shadow AI Escalation",
			SeverityTrend:  "ascending",
			TrendCategory:  "shadow_ai_usage",
			MinEvents:      3,
			TimeWindow:     30 * time.Minute,
			Severity:       domsoc.SeverityCritical,
			KillChainPhase: "Exploitation",
			MITREMapping:   []string{"T1059"},
			Description:    "Ascending severity pattern in Shadow AI events: user escalating from casual browsing to bulk data uploads. Crescendo data theft in progress.",
		},
	}
}
chore: add copyright headers, CI tests, and sanitize gitignore 2026-03-31 22:13:34 +10:00			`// Copyright 2026 Syntrex Lab. All rights reserved.`
			`// Use of this source code is governed by an Apache-2.0 license`
			`// that can be found in the LICENSE file.`

Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates 2026-03-23 16:45:40 +10:00			`package shadow_ai`

			`import (`
			`"time"`

chore: migrate module path to syntrex-lab and prepare open source release 2026-03-31 22:01:51 +10:00			`domsoc "github.com/syntrex-lab/gomcp/internal/domain/soc"`
Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates 2026-03-23 16:45:40 +10:00			`)`

			`// ShadowAICorrelationRules returns SOC correlation rules specific to Shadow AI`
			`// detection. These integrate into the existing SOC correlation engine.`
			`func ShadowAICorrelationRules() []domsoc.SOCCorrelationRule {`
			`return []domsoc.SOCCorrelationRule{`
			`{`
			`ID: "SAI-CR-001",`
			`Name: "Multi-Service Shadow AI",`
			`RequiredCategories: []string{"shadow_ai_usage"},`
			`MinEvents: 3,`
			`TimeWindow: 10 * time.Minute,`
			`Severity: domsoc.SeverityHigh,`
			`KillChainPhase: "Reconnaissance",`
			`MITREMapping: []string{"T1595"},`
			`Description: "User accessing 3+ distinct AI services within 10 minutes. Indicates active AI tool exploration or data shopping across providers.",`
			`},`
			`{`
			`ID: "SAI-CR-002",`
			`Name: "Shadow AI + Data Exfiltration",`
			`RequiredCategories: []string{"shadow_ai_usage", "exfiltration"},`
			`MinEvents: 2,`
			`TimeWindow: 15 * time.Minute,`
			`Severity: domsoc.SeverityCritical,`
			`KillChainPhase: "Exfiltration",`
			`MITREMapping: []string{"T1041", "T1567"},`
			`Description: "Shadow AI usage followed by data exfiltration attempt. Possible corporate data leakage via unauthorized AI services.",`
			`},`
			`{`
			`ID: "SAI-CR-003",`
			`Name: "Shadow AI Volume Spike",`
			`RequiredCategories: []string{"shadow_ai_usage"},`
			`MinEvents: 10,`
			`TimeWindow: 1 * time.Hour,`
			`Severity: domsoc.SeverityHigh,`
			`KillChainPhase: "Actions on Objectives",`
			`MITREMapping: []string{"T1048"},`
			`Description: "10+ shadow AI events from same source within 1 hour. Indicates bulk data transfer to external AI service.",`
			`},`
			`{`
			`ID: "SAI-CR-004",`
			`Name: "Shadow AI After Hours",`
			`RequiredCategories: []string{"shadow_ai_usage"},`
			`MinEvents: 2,`
			`TimeWindow: 30 * time.Minute,`
			`Severity: domsoc.SeverityMedium,`
			`KillChainPhase: "Persistence",`
			`MITREMapping: []string{"T1053"},`
			`Description: "Shadow AI usage outside business hours (detected via timestamp clustering). May indicate automated scripts or insider threat.",`
			`},`
			`{`
			`ID: "SAI-CR-005",`
			`Name: "Integration Failure Chain",`
			`RequiredCategories: []string{"integration_health"},`
			`MinEvents: 3,`
			`TimeWindow: 5 * time.Minute,`
			`Severity: domsoc.SeverityCritical,`
			`KillChainPhase: "Defense Evasion",`
			`MITREMapping: []string{"T1562"},`
			`Description: "3+ integration health failures in 5 minutes. Possible attack on enforcement infrastructure to blind Shadow AI detection.",`
			`},`
			`{`
			`ID: "SAI-CR-006",`
			`Name: "Shadow AI + PII Leak",`
			`RequiredCategories: []string{"shadow_ai_usage", "pii_leak"},`
			`MinEvents: 2,`
			`TimeWindow: 10 * time.Minute,`
			`Severity: domsoc.SeverityCritical,`
			`KillChainPhase: "Exfiltration",`
			`MITREMapping: []string{"T1567.002"},`
			`Description: "Shadow AI usage combined with PII leak detection. GDPR/regulatory violation in progress — immediate response required.",`
			`},`
			`{`
			`ID: "SAI-CR-007",`
			`Name: "Shadow AI Evasion Attempt",`
			`SequenceCategories: []string{"shadow_ai_usage", "evasion"},`
			`MinEvents: 2,`
			`TimeWindow: 10 * time.Minute,`
			`Severity: domsoc.SeverityHigh,`
			`KillChainPhase: "Defense Evasion",`
			`MITREMapping: []string{"T1090", "T1573"},`
			`Description: "Shadow AI usage followed by evasion technique (VPN, proxy chaining, encoding). User attempting to bypass detection.",`
			`},`
			`{`
			`ID: "SAI-CR-008",`
			`Name: "Cross-Department AI Usage",`
			`RequiredCategories: []string{"shadow_ai_usage"},`
			`MinEvents: 5,`
			`TimeWindow: 30 * time.Minute,`
			`Severity: domsoc.SeverityMedium,`
			`CrossSensor: true,`
			`KillChainPhase: "Lateral Movement",`
			`MITREMapping: []string{"T1021"},`
			`Description: "Shadow AI events from 5+ distinct network segments/sensors within 30 minutes. Indicates coordinated policy circumvention or compromised credentials used across departments.",`
			`},`
			`// Severity trend: escalating shadow AI event severity`
			`{`
			`ID: "SAI-CR-009",`
			`Name: "Shadow AI Escalation",`
			`SeverityTrend: "ascending",`
			`TrendCategory: "shadow_ai_usage",`
			`MinEvents: 3,`
			`TimeWindow: 30 * time.Minute,`
			`Severity: domsoc.SeverityCritical,`
			`KillChainPhase: "Exploitation",`
			`MITREMapping: []string{"T1059"},`
			`Description: "Ascending severity pattern in Shadow AI events: user escalating from casual browsing to bulk data uploads. Crescendo data theft in progress.",`
			`},`
			`}`
			`}`