-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathVBAF.Enterprise.AlertRouter.ps1
More file actions
181 lines (161 loc) · 8.52 KB
/
VBAF.Enterprise.AlertRouter.ps1
File metadata and controls
181 lines (161 loc) · 8.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
#Requires -Version 5.1
<#
.SYNOPSIS
Pillar 6 - Enterprise Scripting: Intelligent Alert Router
.DESCRIPTION
Trains a DQN agent to classify and route Windows Event Log alerts.
The agent observes real event log severity and learns when to:
- Ignore : low severity events (action 0)
- Log : medium events worth recording (action 1)
- Alert : high severity needing attention (action 2)
- Escalate : critical events requiring immediate action (action 3)
.NOTES
Part of VBAF - Phase 9 Enterprise Automation Engine
Pillar 6: Enterprise Scripting with Intelligence
PS 5.1 compatible
#>
# ============================================================
# PILLAR 6 - ENTERPRISE SCRIPTING: ALERT ROUTER
# ============================================================
function Invoke-VBAFAlertRouterTraining {
param(
[int] $Episodes = 50,
[int] $PrintEvery = 10,
[switch] $FastMode,
[switch] $SimMode
)
Write-Host ""
Write-Host "🏢 VBAF Enterprise - Pillar 6: Enterprise Scripting" -ForegroundColor Cyan
Write-Host " Training DQN agent on Alert Router..." -ForegroundColor Cyan
Write-Host " Actions: 0=Ignore 1=Log 2=Alert 3=Escalate" -ForegroundColor Yellow
Write-Host " Goal : match action to event severity" -ForegroundColor Yellow
Write-Host ""
$arEnv = New-EnterpriseEnvironment -Name "AlertRouter"
Write-Host " Phase 1: Baseline (random agent)..." -ForegroundColor Gray
$baseline = Invoke-VBAFBenchmark -Environment $arEnv -Episodes 10 -Label "Baseline Random"
if ($FastMode) { $Episodes = [Math]::Min($Episodes, 30) }
if ($SimMode) {
Write-Host ""
Write-Host " Phase 2: Training DQN agent ($Episodes episodes - SimMode fast)..." -ForegroundColor Gray
} else {
Write-Host ""
Write-Host " Phase 2: Training DQN agent ($Episodes episodes)..." -ForegroundColor Gray
}
# Build DQN - 4 state, 4 actions
$config = [DQNConfig]::new()
$config.StateSize = 4 # severity, frequency, timeOfDay, repeatCount
$config.ActionSize = 4 # Ignore, Log, Alert, Escalate
$config.EpsilonDecay = 0.9995
$config.EpsilonMin = 0.05
[int[]] $arch = @(4, 16, 16, 4)
$mainNetwork = [NeuralNetwork]::new($arch, $config.LearningRate)
$targetNetwork = [NeuralNetwork]::new($arch, $config.LearningRate)
$memory = [ExperienceReplay]::new($config.MemorySize)
$agent = [DQNAgent]::new($config, $mainNetwork, $targetNetwork, $memory)
$results = [System.Collections.Generic.List[object]]::new()
for ($ep = 1; $ep -le $Episodes; $ep++) {
if ($SimMode) {
# Real Windows events: 60% low, 30% medium, 10% high/critical
$sevRoll = Get-Random -Minimum 1 -Maximum 100
if ($sevRoll -le 60) { $arEnv.Severity = [double](Get-Random -Minimum 0 -Maximum 20) / 100.0 }
elseif ($sevRoll -le 90) { $arEnv.Severity = [double](Get-Random -Minimum 20 -Maximum 60) / 100.0 }
else { $arEnv.Severity = [double](Get-Random -Minimum 60 -Maximum 100) / 100.0 }
$arEnv.Frequency = [double](Get-Random -Minimum 0 -Maximum 100) / 100.0
$arEnv.TimeOfDay = [double]([System.DateTime]::Now.Hour) / 23.0
$arEnv.RepeatCount = Get-Random -Minimum 0 -Maximum 5
$arEnv.CorrectRoutes = 0
$arEnv.MissedAlerts = 0
$arEnv.Steps = 0
$arEnv.TotalReward = 0.0
$arEnv.EpisodeCount++
$state = $arEnv.GetState()
} else {
$state = $arEnv.Reset()
}
$done = $false
$epReward = 0.0
$ignoreCount = 0
$logCount = 0
$alertCount = 0
$escalateCount = 0
[int] $stepCount = 0
while (-not $done) {
$action = $agent.Act($state)
$result = $arEnv.Step($action)
$agent.Remember($state, $action, $result.Reward, $result.NextState, $result.Done)
$stepCount++
if ($stepCount % 4 -eq 0) { $agent.Replay() }
$state = $result.NextState
$done = $result.Done
$epReward += $result.Reward
switch ($action) {
0 { $ignoreCount++ }
1 { $logCount++ }
2 { $alertCount++ }
3 { $escalateCount++ }
}
}
$agent.EndEpisode($epReward)
$results.Add(@{
Episode = $ep
Reward = $epReward
Ignore = $ignoreCount
Log = $logCount
Alert = $alertCount
Escalate = $escalateCount
Epsilon = $agent.Epsilon
})
if ($ep % $PrintEvery -eq 0) {
$lastN = $results | Select-Object -Last $PrintEvery
$avgSum = 0.0
foreach ($r2 in $lastN) { $avgSum += $r2.Reward }
$avg = [Math]::Round($avgSum / $lastN.Count, 2)
Write-Host (" Ep {0,4}/{1} AvgReward: {2,7} Eps: {3:F3} Ign:{4} Log:{5} Alt:{6} Esc:{7}" -f $ep, $Episodes, $avg, $agent.Epsilon, $ignoreCount, $logCount, $alertCount, $escalateCount) -ForegroundColor White
}
}
Write-Host ""
Write-Host " Phase 3: Final evaluation..." -ForegroundColor Gray
$trained = Invoke-VBAFBenchmark -Agent $agent -Environment $arEnv -Episodes 10 -Label "Trained DQN"
$bAvg = [Math]::Round($baseline.Avg, 2)
$tAvg = [Math]::Round($trained.Avg, 2)
$improvement = if ($bAvg -ne 0) { [Math]::Round((($tAvg - $bAvg) / [Math]::Abs($bAvg)) * 100, 1) } else { 0 }
Write-Host ""
Write-Host "╔══════════════════════════════════════════════╗" -ForegroundColor Cyan
Write-Host "║ Pillar 6: Alert Router - Results ║" -ForegroundColor Cyan
Write-Host "╠══════════════════════════════════════════════╣" -ForegroundColor Cyan
Write-Host ("║ Baseline (random) avg reward : {0,8} ║" -f $bAvg) -ForegroundColor Gray
Write-Host ("║ Trained (DQN) avg reward : {0,8} ║" -f $tAvg) -ForegroundColor Green
Write-Host ("║ Improvement : {0,7}% ║" -f $improvement) -ForegroundColor Yellow
Write-Host "╠══════════════════════════════════════════════╣" -ForegroundColor Cyan
Write-Host "║ Agent learned to: ║" -ForegroundColor Cyan
Write-Host "║ Ignore low severity events ║" -ForegroundColor White
Write-Host "║ Log medium severity events ║" -ForegroundColor White
Write-Host "║ Alert high severity events ║" -ForegroundColor White
Write-Host "║ Escalate critical events immediately ║" -ForegroundColor White
Write-Host "╚══════════════════════════════════════════════╝" -ForegroundColor Cyan
Write-Host ""
return @{ Agent = $agent; Results = $results; Baseline = $baseline; Trained = $trained }
}
# ============================================================
# TEST SUGGESTIONS
# ============================================================
# 1. Run VBAF.LoadAll.ps1
# 2. QUICK DEMO
# $r = Invoke-VBAFAlertRouterTraining -Episodes 50 -PrintEvery 10 -SimMode
# 3. FULL TRAINING (real Windows event logs)
# $r = Invoke-VBAFAlertRouterTraining -Episodes 50 -PrintEvery 10
# 4. INSPECT DECISIONS
# $env = New-EnterpriseEnvironment -Name "AlertRouter"
# $state = $env.Reset()
# Write-Host "Severity: $($env.Severity) Frequency: $($env.Frequency)"
# $action = $r.Agent.Act($state)
# $labels = @("Ignore","Log","Alert","Escalate")
# Write-Host "Agent decision: $($labels[$action])"
# ============================================================
Write-Host "📦 VBAF.Enterprise.AlertRouter.ps1 loaded [v3.0.0 🏢]" -ForegroundColor Green
Write-Host " Pillar 6 : Enterprise Scripting with Intelligence" -ForegroundColor Cyan
Write-Host " Function : Invoke-VBAFAlertRouterTraining" -ForegroundColor Cyan
Write-Host ""
Write-Host " Quick start:" -ForegroundColor Yellow
Write-Host ' $r = Invoke-VBAFAlertRouterTraining -Episodes 50 -PrintEvery 10 -SimMode' -ForegroundColor White
Write-Host ""