Upgrade correlation engine to behavior-based progression model

src/correlation/attack_chain_engine.py

@@ -1,39 +1,69 @@
-from collections import defaultdict
-
-
 class AttackChainEngine:
+
     def __init__(self):
         pass
 
     def correlate(self, alerts):
         if not alerts:
             return []
 
-        normalized_alerts = []
+        TACTIC_ORDER = [
+            "Initial Access",
+            "Execution",
+            "Privilege Escalation",
+            "Persistence",
+            "Defense Evasion",
+            "Command and Control",
+            "Collection"
+        ]
 
+        # Group alerts by host
+        hosts = {}
         for alert in alerts:
-            alert["timestamp"] = alert.get("timestamp", "")
-            alert["host"] = alert.get("host", "unknown")
-            normalized_alerts.append(alert)
+            host = alert.get("host", "unknown")
+            hosts.setdefault(host, []).append(alert)
+
+        incidents = []
 
-        host_groups = defaultdict(list)
+        for host, host_alerts in hosts.items():
 
-        for alert in normalized_alerts:
-            host_groups[alert["host"]].append(alert)
+            # Sort by timestamp
+            host_alerts.sort(key=lambda x: x.get("timestamp", ""))
 
-        incidents = []
+            # Extract unique tactics in appearance order
+            progression = []
+            for alert in host_alerts:
+                tactic = alert.get("tactic")
+                if tactic and tactic not in progression:
+                    progression.append(tactic)
+
+            # Convert tactics to index order
+            order_indices = [
+                TACTIC_ORDER.index(t)
+                for t in progression
+                if t in TACTIC_ORDER
+            ]
+
+            is_progressive = order_indices == sorted(order_indices)
+            unique_tactics = len(progression)
 
-        for host, host_alerts in host_groups.items():
-            sorted_alerts = sorted(
-                host_alerts,
-                key=lambda x: x.get("timestamp", "")
-            )
+            if unique_tactics >= 4 and is_progressive:
+                confidence = "high"
+                severity = "critical"
+            elif unique_tactics >= 3:
+                confidence = "medium"
+                severity = "high"
+            else:
+                confidence = "low"
+                severity = "medium"
 
-            if len(sorted_alerts) > 1:
+            if unique_tactics >= 2:
                 incidents.append({
                     "host": host,
-                    "alert_count": len(sorted_alerts),
-                    "alerts": sorted_alerts
+                    "attack_progression": progression,
+                    "total_alerts": len(host_alerts),
+                    "confidence": confidence,
+                    "severity": severity
                 })
 
-        return incidents
+        return incidents