Deployment Ready: Fixed scam detection low confidence, added production audit report, optimized throttles
1838600 | # Topic 20: Observability & Metrics Architecture | |
| **Audit Date**: 2026-02-01 | |
| **Auditor**: Agent Antigravity | |
| **Scope**: Monitoring & Telemetry | |
| --- | |
| ## 1. Deep Telemetry Engine (`telemetry.py`) | |
| The system does not just log text; it builds a **Digital Fingerprint** of the attacker. | |
| * **Real Geo-Location**: Uses `ip-api.com` to fetch Country, ISP, and Proxy status. | |
| * **Hardware Fingerprinting**: | |
| * Captures `Screen Resolution`, `Timezone`, and `Hardware Concurrency` via the "Silent Beacon" JS in decoy pages. | |
| * **Goal**: Distinguish between a Human Scammer (Mobile Device) and a Bot (Headless Server). | |
| * **Evidence**: `TelemetryCollector.track_request()` -> `_generate_fingerprint()`. | |
| --- | |
| ## 2. Prometheus Metrics Integration | |
| The system exposes standard **Prometheus-compatible** metrics for dashboards (Grafana). | |
| * **Endpoint**: `get_prometheus_metrics()` generates the text payload. | |
| * **Key Metrics**: | |
| * `sentinel_requests_total`: Traffic volume. | |
| * `sentinel_threats_detected_total`: Distinct attacker count. | |
| * `sentinel_scam_events_total{type="lottery"}`: Breakdown by scam category. | |
| --- | |
| ## 3. SIEM / SOC Integration | |
| * **Format**: `JSONL` (JSON Lines). | |
| * **Compatibility**: Designed for direct ingestion into **Splunk**, **Azure Sentinel**, or **ELK Stack**. | |
| * **Fields**: `timestamp`, `source_ip`, `risk_score`, `geo_data`, `intelligence_count`. | |
| * **Code**: `get_siem_export()` formats the internal state into a log stream. | |
| --- | |
| ## 4. Operational Visibility | |
| * **Risk Scoring**: Real-time calculation based on: | |
| * Hosting Provider IP? (+40 Risk) | |
| * VPN Detected? (+30 Risk) | |
| * High-Risk Country (NG/CN/RU)? (+30 Risk) | |
| * **Result**: The Admin Dashboard can show a "Heatmap" of attacks in real-time. | |