carverauto/serviceradar

Fork 0

feat: Apply Risk scores to devices #1020

New issue

Open

opened 2026-03-28 04:30:53 +00:00 by mfreeman451 · 3 comments

mfreeman451 commented

2026-03-28 04:30:53 +00:00

Owner

Imported from GitHub.

Original GitHub issue: #2821
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/2821
Original created: 2026-02-13T06:45:55Z

Is your feature request related to a problem?

AlienVault threat intelligence integration
Event stream integration

A little bit more about the event stream integration, this will go into a new GH issue, but right now UniFi is sending us syslog messages when the IDS blocks threats, currently its picking up ServiceRadar trying to do a portscan on a bunch of internal LAN devices, blocks it, generates the log, we create an event and then an alert. We should be able to automatically mark a device at risk if we can match the alert to a device kinda thing. Same thing with the AlienVault stuff and NetFlow, and any future integrations like falco or trivy, should have same capability, so we need to create some kinda framework here to handle all of this that can be used throughout the entire system, will probably live in the Elixir world.

Describe the solution you'd like

A clear and concise description of what you want to happen.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

Imported from GitHub. Original GitHub issue: #2821 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/2821 Original created: 2026-02-13T06:45:55Z --- **Is your feature request related to a problem?** - [ ] AlienVault threat intelligence integration - [ ] Event stream integration A little bit more about the event stream integration, this will go into a new GH issue, but right now UniFi is sending us syslog messages when the IDS blocks threats, currently its picking up ServiceRadar trying to do a portscan on a bunch of internal LAN devices, blocks it, generates the log, we create an event and then an alert. We should be able to automatically mark a device at risk if we can match the alert to a device kinda thing. Same thing with the AlienVault stuff and NetFlow, and any future integrations like falco or trivy, should have same capability, so we need to create some kinda framework here to handle all of this that can be used throughout the entire system, will probably live in the Elixir world. **Describe the solution you'd like** A clear and concise description of what you want to happen. **Describe alternatives you've considered** A clear and concise description of any alternative solutions or features you've considered. **Additional context** Add any other context or screenshots about the feature request here.

mfreeman451 added the

netflow

siem

security

labels

2026-03-28 04:30:53 +00:00

mfreeman451 commented

2026-03-28 04:30:53 +00:00

Author

Owner

Imported GitHub comment.

Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/2821#issuecomment-3895211880
Original created: 2026-02-13T06:46:34Z

@marvin-hansen you might have some ideas around this as well I imagine?

Imported GitHub comment. Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/2821#issuecomment-3895211880 Original created: 2026-02-13T06:46:34Z --- @marvin-hansen you might have some ideas around this as well I imagine?

mfreeman451 commented

2026-03-28 04:30:53 +00:00

Author

Owner

Imported GitHub comment.

Original author: @marvin-hansen
Original URL: https://github.com/carverauto/serviceradar/issues/2821#issuecomment-3895269726
Original created: 2026-02-13T07:07:06Z

Yea,

Let's build a multi layer compliance score based on the OECD
recommendations for financial risk scoring.

KYC - Know your crap
AML - Anti Machine Laundery Score

And then just use these as pretext to blanket ban entire countries you
don't like for some reason and only whitelist those who are tagging along .

In all seriousness, what would actually be effective is a real time
contextual risk mitigation system. Instead of scoring, you monitor device
clusters and isolate them the moment anomaly behavior starts...

And again, your contextual hyper graph becomes invaluable here to detect
temporal pattern e.g. a spread out port scan that would otherwise evade
detection and spatial patterns e.g. multi host try a coordinated breach...

These are my two cents.

On Fri, Feb 13, 2026 at 14:46 Michael Freeman @.***>
wrote:

mfreeman451 left a comment (carverauto/serviceradar#2821)
https://github.com/carverauto/serviceradar/issues/2821#issuecomment-3895211880

@marvin-hansen https://github.com/marvin-hansen you might have some
ideas around this as well I imagine?

—
Reply to this email directly, view it on GitHub
https://github.com/carverauto/serviceradar/issues/2821#issuecomment-3895211880,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AFYR7XC22HAU4IWRKHU6MZT4LVXOBAVCNFSM6AAAAACU7XG4QKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTQOJVGIYTCOBYGA
.
You are receiving this because you were mentioned.Message ID:
@.***>

Imported GitHub comment. Original author: @marvin-hansen Original URL: https://github.com/carverauto/serviceradar/issues/2821#issuecomment-3895269726 Original created: 2026-02-13T07:07:06Z --- Yea, Let's build a multi layer compliance score based on the OECD recommendations for financial risk scoring. KYC - Know your crap AML - Anti Machine Laundery Score And then just use these as pretext to blanket ban entire countries you don't like for some reason and only whitelist those who are tagging along . In all seriousness, what would actually be effective is a real time contextual risk mitigation system. Instead of scoring, you monitor device clusters and isolate them the moment anomaly behavior starts... And again, your contextual hyper graph becomes invaluable here to detect temporal pattern e.g. a spread out port scan that would otherwise evade detection and spatial patterns e.g. multi host try a coordinated breach... These are my two cents. On Fri, Feb 13, 2026 at 14:46 Michael Freeman ***@***.***> wrote: > *mfreeman451* left a comment (carverauto/serviceradar#2821) > <https://github.com/carverauto/serviceradar/issues/2821#issuecomment-3895211880> > > @marvin-hansen <https://github.com/marvin-hansen> you might have some > ideas around this as well I imagine? > > — > Reply to this email directly, view it on GitHub > <https://github.com/carverauto/serviceradar/issues/2821#issuecomment-3895211880>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AFYR7XC22HAU4IWRKHU6MZT4LVXOBAVCNFSM6AAAAACU7XG4QKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTQOJVGIYTCOBYGA> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

mfreeman451 commented

2026-03-28 04:30:53 +00:00

Author

Owner

Imported GitHub comment.

Original author: @marvin-hansen
Original URL: https://github.com/carverauto/serviceradar/issues/2821#issuecomment-3895317825
Original created: 2026-02-13T07:17:37Z

The other thing you want to consider is a pre-incident graph that tracks anomalies that may not fit an active threat but fall outside the established pattern. This might be an out of the blue ping into a unknown network range, aborted tcp handshakes etc. One graph per detected device. As these build up over time, and an incident happens you can then extract the pre-required behavior and convert them into new IDS rules to isolate devices before they become active threats. This target specifically ATP scenarios were keep alive or CC packages flow before an attack starts.

Imported GitHub comment. Original author: @marvin-hansen Original URL: https://github.com/carverauto/serviceradar/issues/2821#issuecomment-3895317825 Original created: 2026-02-13T07:17:37Z --- The other thing you want to consider is a pre-incident graph that tracks anomalies that may not fit an active threat but fall outside the established pattern. This might be an out of the blue ping into a unknown network range, aborted tcp handshakes etc. One graph per detected device. As these build up over time, and an incident happens you can then extract the pre-required behavior and convert them into new IDS rules to isolate devices before they become active threats. This target specifically ATP scenarios were keep alive or CC packages flow before an attack starts.