gomcp/internal/application/shadow_ai/correlation.go

package shadow_ai

import (
	"time"

	domsoc "github.com/syntrex-lab/gomcp/internal/domain/soc"
)

// ShadowAICorrelationRules returns SOC correlation rules specific to Shadow AI
// detection. These integrate into the existing SOC correlation engine.
func ShadowAICorrelationRules() []domsoc.SOCCorrelationRule {
	return []domsoc.SOCCorrelationRule{
		{
			ID:                 "SAI-CR-001",
			Name:               "Multi-Service Shadow AI",
			RequiredCategories: []string{"shadow_ai_usage"},
			MinEvents:          3,
			TimeWindow:         10 * time.Minute,
			Severity:           domsoc.SeverityHigh,
			KillChainPhase:     "Reconnaissance",
			MITREMapping:       []string{"T1595"},
			Description:        "User accessing 3+ distinct AI services within 10 minutes. Indicates active AI tool exploration or data shopping across providers.",
		},
		{
			ID:                 "SAI-CR-002",
			Name:               "Shadow AI + Data Exfiltration",
			RequiredCategories: []string{"shadow_ai_usage", "exfiltration"},
			MinEvents:          2,
			TimeWindow:         15 * time.Minute,
			Severity:           domsoc.SeverityCritical,
			KillChainPhase:     "Exfiltration",
			MITREMapping:       []string{"T1041", "T1567"},
			Description:        "Shadow AI usage followed by data exfiltration attempt. Possible corporate data leakage via unauthorized AI services.",
		},
		{
			ID:                 "SAI-CR-003",
			Name:               "Shadow AI Volume Spike",
			RequiredCategories: []string{"shadow_ai_usage"},
			MinEvents:          10,
			TimeWindow:         1 * time.Hour,
			Severity:           domsoc.SeverityHigh,
			KillChainPhase:     "Actions on Objectives",
			MITREMapping:       []string{"T1048"},
			Description:        "10+ shadow AI events from same source within 1 hour. Indicates bulk data transfer to external AI service.",
		},
		{
			ID:                 "SAI-CR-004",
			Name:               "Shadow AI After Hours",
			RequiredCategories: []string{"shadow_ai_usage"},
			MinEvents:          2,
			TimeWindow:         30 * time.Minute,
			Severity:           domsoc.SeverityMedium,
			KillChainPhase:     "Persistence",
			MITREMapping:       []string{"T1053"},
			Description:        "Shadow AI usage outside business hours (detected via timestamp clustering). May indicate automated scripts or insider threat.",
		},
		{
			ID:                 "SAI-CR-005",
			Name:               "Integration Failure Chain",
			RequiredCategories: []string{"integration_health"},
			MinEvents:          3,
			TimeWindow:         5 * time.Minute,
			Severity:           domsoc.SeverityCritical,
			KillChainPhase:     "Defense Evasion",
			MITREMapping:       []string{"T1562"},
			Description:        "3+ integration health failures in 5 minutes. Possible attack on enforcement infrastructure to blind Shadow AI detection.",
		},
		{
			ID:                 "SAI-CR-006",
			Name:               "Shadow AI + PII Leak",
			RequiredCategories: []string{"shadow_ai_usage", "pii_leak"},
			MinEvents:          2,
			TimeWindow:         10 * time.Minute,
			Severity:           domsoc.SeverityCritical,
			KillChainPhase:     "Exfiltration",
			MITREMapping:       []string{"T1567.002"},
			Description:        "Shadow AI usage combined with PII leak detection. GDPR/regulatory violation in progress — immediate response required.",
		},
		{
			ID:                 "SAI-CR-007",
			Name:               "Shadow AI Evasion Attempt",
			SequenceCategories: []string{"shadow_ai_usage", "evasion"},
			MinEvents:          2,
			TimeWindow:         10 * time.Minute,
			Severity:           domsoc.SeverityHigh,
			KillChainPhase:     "Defense Evasion",
			MITREMapping:       []string{"T1090", "T1573"},
			Description:        "Shadow AI usage followed by evasion technique (VPN, proxy chaining, encoding). User attempting to bypass detection.",
		},
		{
			ID:                 "SAI-CR-008",
			Name:               "Cross-Department AI Usage",
			RequiredCategories: []string{"shadow_ai_usage"},
			MinEvents:          5,
			TimeWindow:         30 * time.Minute,
			Severity:           domsoc.SeverityMedium,
			CrossSensor:        true,
			KillChainPhase:     "Lateral Movement",
			MITREMapping:       []string{"T1021"},
			Description:        "Shadow AI events from 5+ distinct network segments/sensors within 30 minutes. Indicates coordinated policy circumvention or compromised credentials used across departments.",
		},
		// Severity trend: escalating shadow AI event severity
		{
			ID:             "SAI-CR-009",
			Name:           "Shadow AI Escalation",
			SeverityTrend:  "ascending",
			TrendCategory:  "shadow_ai_usage",
			MinEvents:      3,
			TimeWindow:     30 * time.Minute,
			Severity:       domsoc.SeverityCritical,
			KillChainPhase: "Exploitation",
			MITREMapping:   []string{"T1059"},
			Description:    "Ascending severity pattern in Shadow AI events: user escalating from casual browsing to bulk data uploads. Crescendo data theft in progress.",
		},
	}
}