/** * @fileoverview Threat Intelligence Integration * @module @nahisaho/musubix-security/intelligence/threat-intelligence * * Provides threat intelligence feed integration, IOC matching, * and threat context enrichment for vulnerability findings. */ import type { Vulnerability, SourceLocation } from '../types/index.js'; /** * Indicator of Compromise (IOC) type */ export type IOCType = 'ip-address' | 'domain' | 'url' | 'file-hash' | 'email' | 'cve' | 'malware-signature' | 'attack-pattern' | 'registry-key' | 'mutex' | 'user-agent' | 'custom'; /** * Threat severity level */ export type ThreatSeverity = 'critical' | 'high' | 'medium' | 'low' | 'unknown'; /** * Threat confidence level */ export type ThreatConfidence = 'confirmed' | 'high' | 'medium' | 'low' | 'unknown'; /** * Indicator of Compromise */ export interface IOC { /** IOC ID */ id: string; /** IOC type */ type: IOCType; /** IOC value */ value: string; /** Threat severity */ severity: ThreatSeverity; /** Confidence level */ confidence: ThreatConfidence; /** First seen timestamp */ firstSeen: Date; /** Last seen timestamp */ lastSeen: Date; /** Source feed */ source: string; /** Tags */ tags: string[]; /** Related threat actors */ threatActors: string[]; /** Related campaigns */ campaigns: string[]; /** MITRE ATT&CK techniques */ techniques: string[]; /** Description */ description?: string; /** Expiration date */ expiresAt?: Date; /** Additional metadata */ metadata: Record; } /** * Threat feed configuration */ export interface ThreatFeed { /** Feed ID */ id: string; /** Feed name */ name: string; /** Feed URL or path */ url: string; /** Feed format */ format: 'stix' | 'taxii' | 'csv' | 'json' | 'openioc' | 'custom'; /** API key if required */ apiKey?: string; /** Update interval in minutes */ updateInterval: number; /** Last updated */ lastUpdated?: Date; /** Enabled status */ enabled: boolean; /** Trust level (0-100) */ trustLevel: number; /** IOC types to fetch */ iocTypes?: IOCType[]; } /** * Threat match result */ export interface ThreatMatch { /** Match ID */ id: string; /** Matched IOC */ ioc: IOC; /** Match context */ context: { /** Where the match was found */ location: SourceLocation; /** Code snippet */ codeSnippet: string; /** Match type */ matchType: 'exact' | 'partial' | 'pattern'; /** Match confidence (0-1) */ confidence: number; }; /** Related vulnerability if any */ vulnerabilityId?: string; /** Match timestamp */ matchedAt: Date; /** Recommended actions */ recommendations: string[]; } /** * Threat context enrichment */ export interface ThreatContext { /** Vulnerability ID */ vulnerabilityId: string; /** Related threats */ threats: ThreatInfo[]; /** Risk multiplier based on threat intelligence */ riskMultiplier: number; /** Is actively exploited */ activelyExploited: boolean; /** Known exploit kits */ exploitKits: string[]; /** Affected industries */ targetedIndustries: string[]; /** Geographic targeting */ geographicTargets: string[]; /** Time to patch recommendation */ urgency: 'immediate' | 'high' | 'medium' | 'low'; } /** * Threat information */ export interface ThreatInfo { /** Threat ID */ id: string; /** Threat name */ name: string; /** Threat type */ type: 'apt' | 'cybercrime' | 'hacktivism' | 'insider' | 'unknown'; /** Associated CVEs */ cves: string[]; /** MITRE ATT&CK mapping */ mitreTechniques: string[]; /** Confidence */ confidence: ThreatConfidence; } /** * Threat Intelligence options */ export interface ThreatIntelligenceOptions { /** Enabled feeds */ feeds?: ThreatFeed[]; /** Cache TTL in minutes */ cacheTTL?: number; /** Enable auto-update */ autoUpdate?: boolean; /** Update interval in minutes */ updateInterval?: number; /** Match threshold (0-1) */ matchThreshold?: number; /** Enable CVE enrichment */ enableCVEEnrichment?: boolean; /** Enable MITRE ATT&CK mapping */ enableMitreMapping?: boolean; } /** * Threat Intelligence service for IOC matching and threat enrichment */ export declare class ThreatIntelligence { private options; private feeds; private iocCache; private lastUpdate; private updateTimer?; constructor(options?: ThreatIntelligenceOptions); /** * Load built-in IOCs */ private loadBuiltinIOCs; /** * Start auto-update timer */ private startAutoUpdate; /** * Stop auto-update timer */ stopAutoUpdate(): void; /** * Add a threat feed */ addFeed(feed: ThreatFeed): void; /** * Remove a threat feed */ removeFeed(feedId: string): boolean; /** * Get all configured feeds */ getFeeds(): ThreatFeed[]; /** * Update all feeds */ updateFeeds(): Promise<{ updated: number; failed: number; }>; /** * Update a single feed */ private updateFeed; /** * Add an IOC */ addIOC(ioc: IOC): void; /** * Get an IOC by ID */ getIOC(id: string): IOC | undefined; /** * Get all IOCs */ getAllIOCs(): IOC[]; /** * Get IOCs by type */ getIOCsByType(type: IOCType): IOC[]; /** * Search IOCs */ searchIOCs(query: string): IOC[]; /** * Match code against IOCs */ matchCode(code: string, filePath: string): ThreatMatch[]; /** * Generate recommendations for an IOC match */ private generateRecommendations; /** * Enrich vulnerability with threat context */ enrichVulnerability(vulnerability: Vulnerability): ThreatContext; /** * Get related CVEs for a CWE */ private getRelatedCVEs; /** * Map vulnerability type to MITRE ATT&CK techniques */ private mapToMitre; /** * Check if a CVE is actively exploited */ isActivelyExploited(cve: string): boolean; /** * Get threat statistics */ getStatistics(): { totalIOCs: number; byType: Record; bySeverity: Record; feedsActive: number; lastUpdate: Date; }; /** * Export IOCs */ exportIOCs(format: 'json' | 'csv' | 'stix'): string; /** * Import IOCs */ importIOCs(data: string, format: 'json' | 'csv'): number; } /** * Create a ThreatIntelligence instance */ export declare function createThreatIntelligence(options?: ThreatIntelligenceOptions): ThreatIntelligence; /** * Quick IOC check */ export declare function quickIOCCheck(code: string, filePath: string): ThreatMatch[]; /** * Quick vulnerability enrichment */ export declare function enrichWithThreatIntel(vulnerability: Vulnerability): ThreatContext; /** * Check if CVE is actively exploited */ export declare function isCVEActivelyExploited(cve: string): boolean; //# sourceMappingURL=threat-intelligence.d.ts.map