Cyclium.Findings.Escalation (Cyclium v0.1.10)

Copy Markdown View Source

Time-based severity escalation rules for active findings.

Evaluates escalation rules against a finding and determines whether it should be bumped to a higher severity based on how long it has been active.

Rules are evaluated from longest after_minutes first. The first matching rule (where the finding has been active for at least that duration) wins.

Rules format

Rules are configured per finding class, declared on the expectation:

expectation :check_vendor,
  trigger: {:event, "vendor.updated"},
  escalation_rules: %{
    "vendor_delay" => [
      %{after_minutes: 60, escalate_to: :high},
      %{after_minutes: 1440, escalate_to: :critical}
    ]
  }

Summary

Functions

check(finding, rules)

Check if a single finding should be escalated based on rules.

severity_index(severity)

Returns the integer index of a severity for comparison. Higher = more severe.

Functions

check(finding, rules)

Check if a single finding should be escalated based on rules.

Returns {:escalate, new_severity} or :no_change.

severity_index(severity)

Returns the integer index of a severity for comparison. Higher = more severe.