Security Event Correlation: Normalised Events & Incident Aggregation Layer

controller/securityEventsController.js

@@ -0,0 +1,54 @@
+// Week 8: Correlated incident export
+
+const { getSecurityEvents } = require('../services/securityEvents/securityEventsService');
+const { securityEventsToCsv } = require('../services/securityEvents/securityEventsCsvFormatter');
+
+async function exportSecurityEvents(req, res) {
+  try {
+    const { from, to, format = 'json' } = req.query;
+
+    const toDate = to ? new Date(to) : new Date();
+    const fromDate = from
+      ? new Date(from)
+      : new Date(toDate.getTime() - 7 * 24 * 60 * 60 * 1000);
+
+    // Week 8: service now returns { events, incidents }
+    const { events, incidents } = await getSecurityEvents(fromDate, toDate);
+
+    // CSV mode (events only)
+    if (format === 'csv') {
+      const csv = securityEventsToCsv(events);
+      const fileName = `securityevent_${fromDate.toISOString().split('T')[0]}_${toDate
+        .toISOString()
+        .split('T')[0]}.csv`;
+
+      res.setHeader('Content-Type', 'text/csv');
+      res.setHeader('Content-Disposition', `attachment; filename="${fileName}"`);
+      return res.status(200).send(csv);
+    }
+
+    // Pretty JSON mode (events + incidents)
+    const payload = {
+      range: {
+        from: fromDate.toISOString(),
+        to: toDate.toISOString(),
+      },
+      summary: {
+        totalEvents: events.length,
+        totalIncidents: incidents.length,
+      },
+      events,
+      incidents,
+    };
+
+    res.setHeader('Content-Type', 'application/json');
+    return res.status(200).send(JSON.stringify(payload, null, 2));
+  } catch (e) {
+    console.error('Error exporting security events:', e);
+    return res.status(500).json({ error: 'Failed to export security events' });
+  }
+}
+
+module.exports = {
+  exportSecurityEvents,
+};

index.yaml

@@ -3107,6 +3107,78 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/ErrorResponse'
+
+  /security/events/export:
+    get:
+      tags:
+        - Security
+      summary: Export security events as JSON or CSV
+      description: >
+        Aggregates login, brute-force and session/token lifecycle events
+        from auth_logs, brute_force_logs and user_session into a unified export.
+      parameters:
+        - name: from
+          in: query
+          description: Start date (YYYY-MM-DD). Defaults to 7 days before `to`.
+          required: false
+          schema:
+            type: string
+            format: date
+        - name: to
+          in: query
+          description: End date (YYYY-MM-DD). Defaults to now.
+          required: false
+          schema:
+            type: string
+            format: date
+        - name: format
+          in: query
+          description: Response format. Use `csv` to download CSV, otherwise JSON.
+          required: false
+          schema:
+            type: string
+            enum: [json, csv]
+      responses:
+        '200':
+          description: Security events exported
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  range:
+                    type: object
+                    properties:
+                      from:
+                        type: string
+                        format: date-time
+                      to:
+                        type: string
+                        format: date-time
+                  count:
+                    type: integer
+                  events:
+                    type: array
+                    items:
+                      type: object
+              example:
+                range:
+                  from: "2025-12-04T00:00:00Z"
+                  to: "2025-12-11T00:00:00Z"
+                count: 3
+                events:
+                  - id: "brute_4092..."
+                    type: "BRUTE_FORCE_DETECTED"
+                    source: "public.brute_force_logs"
+                  - id: "session_67879"
+                    type: "SESSION_CREATED"
+                    source: "public.user_session"
+            text/csv:
+              schema:
+                type: string
+              example: |
+                id,occurredAt,type,userId,sessionId,ipAddress,userAgent,source,metadataJson
+                brute_4092...,2025-12-04T07:24:13.965+00:00,BRUTE_FORCE_DETECTED,,,,,public.brute_force_logs,"{""email"":""john@nutrihelp.com""}"
 
 components: