1.7 KiB
1.7 KiB
Incident/Forensic Mode (High-Fidelity Sampling)
Module
Telemetry
Status
IMPLEMENTED
Description
Incident/forensic mode service that enables high-fidelity (100%) sampling during security incidents for detailed investigation.
Implementation Details
- IIncidentModeService interface:
src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IIncidentModeService.cs--IsActive,CurrentState,ActivateAsync(actor, tenantId, TTL override, reason),DeactivateAsync; manages incident mode state with per-tenant granularity - IncidentModeService:
src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IncidentModeService.cs-- default implementation with activation/deactivation lifecycle - IncidentModeOptions:
src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IncidentModeOptions.cs-- configurable default TTL and sampling rates - ISealedModeTelemetryService:
src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/ISealedModeTelemetryService.cs--IsIncidentModeOverrideActiveproperty enables incident mode to override sealed mode sampling rate - Tests:
src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/IncidentModeServiceTests.cs - Source: Feature matrix scan
E2E Test Plan
- Verify incident mode activation increases sampling rate to 100%
- Test TTL override correctly expires incident mode after configured duration
- Verify incident mode tags are attached to all telemetry during active period
- Test incident mode overrides sealed mode sampling restrictions
- Verify deactivation restores normal sampling rates
- Test per-tenant incident mode isolation