WF-055: Security Incident Detection Flow
Priority: P0 (Critical) | Phase: Phase 1D - Security & Operations | Effort: 18 hours
Workflow Overview
Real-time security incident detection triggered by Pub/Sub security-events topic. Scores threats (0-100), auto-remediates high-severity incidents (≥60), alerts users and security team.
Trigger: Pub/Sub security-events | Duration: ~2-4 seconds
Threat Scoring Matrix
| Event | Score | Action |
|---|---|---|
| 10x failed logins | 90 | Lock account 1 hour |
| Unauthorized workstation access | 100 | Revoke access immediately |
| 5x failed logins | 60 | Require 2FA, notify user |
| Suspicious billing upgrade | 40 | Log only |
| Rate limit exceeded | 30 | Log only |
Phase 1: Event Detection & Scoring
Objective: Receive and assess security events in real-time
Automation Steps:
- Receive security event from Pub/Sub
- Score threat (0-100 based on event type)
Phase 2: High-Severity Response (Score ≥ 60)
Objective: Auto-remediate critical security incidents
Automation Steps: 3. Determine auto-remediation (lock account, revoke access, require 2FA) 4. Execute remediation 5. Email user alert 6. Slack alert to security team 7. Log incident in database
Phase 3: Low-Severity Response (Score < 60)
Objective: Audit trail for investigation
Automation Steps: 8. Log to audit logs only
Testing
- Threat scoring works correctly
- Account locking triggers at score ≥ 60
- User email sent for high-severity
- Slack alert sent to security team
- Low-severity events logged without alerts
- Incident table updated correctly
Status: ✅ Ready for Implementation