1.0 ADBox training pipeline flow LARC-001
Training pipeline flow diagram
The diagram summarizes the flow of the training pipeline orchestrated by the ADBox Engine.
Parent links: SRS-038 Joint Host-Network Training
Child links: SWD-001 ADBox training pipeline
2.0 ADBox historical data prediction pipeline flow LARC-002
Prediction pipeline flow diagram for historical (offline) run mode
The diagram summarizes the flow of the predict pipeline for historical (offline) runmode orchestrated by the ADBox Engine.
Parent links: SRS-035 Offline Anomaly Detection
Child links: SWD-002 ADBox prediction pipeline, SWD-013 ADBox Prediction pipeline's inner body
3.0 ADBox preprocessing flow LARC-003
Preprocessing flow diagram of ADBox data transformer
The diagram summarizes the flow of the method Preprocessor.preprocessing by the ADBox Data Transformer.
Parent links: SRS-029 Host & Network Ingestion
Child links: SWD-010 ADBox data transformer, SWD-011 ADBox preprocessing
4.0 IDPS-ESCAPE end-point integrated arch. LARC-004
IDPS-ESCAPE end-point integrated architecture diagram
The diagram illustrates the architecture of IDPS-ESCAPE end-point integrated model.
Parent links: SRS-033 Remote Endpoint Deployment
5.0 IDPS-ESCAPE end-point hybrid arch. LARC-005
IDPS-ESCAPE end-point hybrid model architecture diagram
The diagram illustrates the architecture of IDPS-ESCAPE end-point hybrid model.
Parent links: SRS-033 Remote Endpoint Deployment
6.0 IDPS-ESCAPE end-point host-only IDS arch. LARC-006
IDPS-ESCAPE end-point host-only IDS model architecture diagram
The diagram illustrates the architecture of IDPS-ESCAPE end-point HIDS only model.
Parent links: SRS-033 Remote Endpoint Deployment
7.0 IDPS-ESCAPE end-point capture-only arch. LARC-007
IDPS-ESCAPE end-point capture-only model architecture diagram
The diagram illustrates the architecture of IDPS-ESCAPE end-point capture only model.
Parent links: SRS-033 Remote Endpoint Deployment
8.0 ADBox batch and real-time prediction flow LARC-008
Batch and real-time ADBox run modes prediction flow diagrams
The diagram summarizes the flow of the prediction pipeline for online run modes orchestrated by the ADBox Engine.
Specifically,
-
batch mode runs the loop every batch interval,
-
real-time mode runs the loop every granularity interval.
Parent links: SRS-027 ML-Based Anomaly Detection
Child links: SWD-002 ADBox prediction pipeline, SWD-013 ADBox Prediction pipeline's inner body
9.0 ADBox machine learning package LARC-009
ADBox machine learning package diagram
ADBox ML-packages folder containing the machine learning packages called by the AD pipelines.
Parent links: SRS-039 Algorithm Selection Option
Child links: SWD-003 MTAD-GAT training, SWD-004 MTAD-GAT prediction, SWD-005 Peak-over-threshold (POT), SWD-006 ADBox Predictor score computation, SWD-007 ADBox MTAD-GAT anomaly prediction, SWD-008 ADBox MTAD-GAT Predictor
10 ADBox data manager LARC-010
ADBox data manager diagram
The diagram below depicts the ADBox Data Manager.
Parent links: SRS-040 Data Management Subpackage
Child links: SWD-009 ADBox data managers
11 ADBox TimeManager LARC-011
ADBox TimeManager context diagram
The diagram below depicts the ADBox TimeManager.
Parent links: SRS-041 Time Management Package
Child links: SWD-012 ADBox TimeManager
12 ADBox ConfigManager LARC-012
ADBox ConfigManager context diagram
The diagram below depicts the ADBox ConfigManager.
Parent links: SRS-018 ML Hyperparameter Tuning, SRS-021 Default Use Case Update
Child links: SWD-014 ADBox config managersactive: true
13 ADBox RequestResponseHandler LARC-013
ADBox RequestResponseHandler context diagram
The diagram below depicts the ADBox RequestResponse Handler subpackage.
Parent links: SRS-042 Prediction Shipping Feature
14 ADBox Shipper LARC-014
ADBox Shipper context diagram
The diagram below depicts the ADBox Shipper subpackage.
Parent links: SRS-042 Prediction Shipping Feature
Child links: SWD-015 ADBox Shipper and Template Handler, SWD-016 ADBox shipping of prediction data, SWD-017 ADBox creation of a detector stream
15 RADAR scenario setup flow LARC-015
The diagram below depicts the RADAR scenario setup flow.
Parent links: HARC-004 RADAR architecture, HARC-005 RADAR Automated Test Framework architecture, SRS-050 Insider Threat Detection and Prevention: Data exfiltration, SRS-051 Suspicious login Detection and Prevention: Impossible travel and Failed-login bursts, SRS-052 DDoS Detection and Prevention: SYN-flood, SRS-053 Malware Communication Detection and Prevention: Beaconing
Child links: SWD-018 RATF: ingestion phase, SWD-019 RATF: setup phase
16 RADAR active response flow LARC-016
The diagram below depicts the RADAR active response flow.
Parent links: HARC-004 RADAR architecture, HARC-005 RADAR Automated Test Framework architecture, SRS-050 Insider Threat Detection and Prevention: Data exfiltration, SRS-051 Suspicious login Detection and Prevention: Impossible travel and Failed-login bursts, SRS-052 DDoS Detection and Prevention: SYN-flood, SRS-053 Malware Communication Detection and Prevention: Beaconing
Child links: SWD-019 RATF: setup phase, SWD-020 RATF: simulation phase, SWD-021 RATF: evaluation phase
17 RADAR integration with Opensearch modules LARC-017
The diagram below depicts how RADAR integrates with Wazuh Opensearch modules.
Parent links: HARC-004 RADAR architecture, HARC-005 RADAR Automated Test Framework architecture, SRS-050 Insider Threat Detection and Prevention: Data exfiltration, SRS-051 Suspicious login Detection and Prevention: Impossible travel and Failed-login bursts, SRS-052 DDoS Detection and Prevention: SYN-flood, SRS-053 Malware Communication Detection and Prevention: Beaconing, SRS-054 RADAR Automated Test Framework
18 RADAR logical flow LARC-018
The diagram below depicts the logical flow of RADAR.
Parent links: HARC-004 RADAR architecture, SRS-050 Insider Threat Detection and Prevention: Data exfiltration, SRS-051 Suspicious login Detection and Prevention: Impossible travel and Failed-login bursts, SRS-052 DDoS Detection and Prevention: SYN-flood, SRS-053 Malware Communication Detection and Prevention: Beaconing
19 SONAR training pipeline sequence LARC-019
Training workflow sequence diagram
The training pipeline retrieves historical alerts from Wazuh Indexer, extracts features, and trains the MVAD model.
Key operations
| Component | Operation | Input | Output |
|---|---|---|---|
| Scenario Loader | Parse YAML | Scenario file path | UseCase object |
| Data Provider | Fetch alerts | Time range, filters | Raw alerts (JSON) |
| Feature Engineer | Extract features | Raw alerts | Time-series DataFrame |
| MVAD Engine | Train model | Time-series data | Trained model object |
| File System | Persist model | Model object | Model file path |
Error handling
- Insufficient data: Warns if sample count < minimum threshold
- Missing fields: Uses default values or raises validation error
- API failures: Retries with exponential backoff
- Model persistence: Validates write permissions before training
Related documentation
- Training sequence diagram:
docs/manual/sonar_docs/uml-diagrams.md#training-workflow
Parent links: SRS-038 Joint Host-Network Training, SRS-048 Default Detector Training
Child links: SWD-022 SONAR class structure and relationships, SWD-023 SONAR feature engineering design, SWD-024 SONAR data shipping design, SWD-025 SONAR debug mode design
20 SONAR detection pipeline sequence LARC-020
Detection workflow sequence diagram
The detection pipeline loads a trained model, processes recent alerts, and generates anomaly scores with optional shipping to data streams.
Detection modes
| Mode | Behavior | Use Case |
|---|---|---|
| historical | Process fixed time range | Batch analysis, validation |
| realtime | Continuous monitoring | Production deployment |
| batch | Scheduled execution | Periodic scans |
Post-processing steps
- Thresholding: Filter scores above configured threshold
- Consecutive filtering: Require N consecutive anomalies
- Enrichment: Add metadata (timestamp, scenario ID, severity)
- Formatting: Convert to OpenSearch document format
Related documentation
- Detection sequence diagram:
docs/manual/sonar_docs/uml-diagrams.md#detection-workflow
Parent links: SRS-027 ML-Based Anomaly Detection, SRS-035 Offline Anomaly Detection, SRS-042 Prediction Shipping Feature
Child links: SWD-022 SONAR class structure and relationships, SWD-023 SONAR feature engineering design, SWD-024 SONAR data shipping design, SWD-025 SONAR debug mode design