/** * Detections Database Module * * CRUD operations, search, filtering, coverage analysis, and gap identification * for security detections. */ import type { Detection, IndexStats } from '../types.js'; export interface ValidationResult { valid: boolean; error?: string; suggestion?: string; similar?: string[]; } export interface TechniqueIdFilters { source_type?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql' | 'jamf_protect'; tactic?: string; severity?: string; } export interface CoverageReport { summary: { total_techniques: number; total_detections: number; coverage_by_tactic: Record; }; top_covered: Array<{ technique: string; detection_count: number; }>; weak_coverage: Array<{ technique: string; detection_count: number; }>; } export interface GapAnalysis { threat_profile: string; total_gaps: number; critical_gaps: Array<{ technique: string; priority: string; reason: string; }>; covered: string[]; recommendations: string[]; } export interface DetectionSuggestion { technique_id: string; existing_detections: Array<{ id: string; name: string; source: string; }>; data_sources_needed: string[]; detection_ideas: string[]; } export interface NavigatorLayerOptions { name: string; description?: string; source_type?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql' | 'jamf_protect'; tactic?: string; severity?: string; actor_name?: string; } export interface DetectionListItem { name: string; id: string; source_type: string; mitre_ids: string[]; severity: string | null; } export interface SourceComparisonResult { topic: string; total_found: number; by_source: Record; by_tactic: Record>; summary: { source_counts: Record; tactic_coverage: Record; }; } /** * Insert or replace a detection in the database. */ export declare function insertDetection(detection: Detection): void; /** * Get a detection by its ID. */ export declare function getDetectionById(id: string): Detection | null; /** * Get the raw YAML content for a detection. */ export declare function getRawYaml(id: string): string | null; /** * Get the total count of detections. */ export declare function getDetectionCount(): number; /** * Full-text search across detections. */ export declare function searchDetections(query: string, limit?: number): Detection[]; /** * List detections with pagination. */ export declare function listDetections(limit?: number, offset?: number): Detection[]; /** * List detections filtered by source type. */ export declare function listBySource(sourceType: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql' | 'jamf_protect', limit?: number, offset?: number): Detection[]; /** * List detections by MITRE technique ID. */ export declare function listByMitre(techniqueId: string, limit?: number, offset?: number): Detection[]; /** * List detections by logsource attributes. */ export declare function listByLogsource(category?: string, product?: string, service?: string, limit?: number, offset?: number): Detection[]; /** * List detections by severity level. */ export declare function listBySeverity(level: string, limit?: number, offset?: number): Detection[]; /** * List detections by CVE ID. */ export declare function listByCve(cveId: string, limit?: number, offset?: number): Detection[]; /** * List detections by analytic story name. */ export declare function listByAnalyticStory(story: string, limit?: number, offset?: number): Detection[]; /** * List detections by process name. */ export declare function listByProcessName(processName: string, limit?: number, offset?: number): Detection[]; /** * List detections by detection type. */ export declare function listByDetectionType(detectionType: string, limit?: number, offset?: number): Detection[]; /** * List detections by data source. */ export declare function listByDataSource(dataSource: string, limit?: number, offset?: number): Detection[]; /** * List detections by KQL category. */ export declare function listByKqlCategory(category: string, limit?: number, offset?: number): Detection[]; /** * List detections by KQL tag. */ export declare function listByKqlTag(tag: string, limit?: number, offset?: number): Detection[]; /** * List detections by KQL data source. */ export declare function listByKqlDatasource(dataSource: string, limit?: number, offset?: number): Detection[]; /** * List detections by MITRE tactic. */ export declare function listByMitreTactic(tactic: string, limit?: number, offset?: number): Detection[]; /** * Get comprehensive statistics about the indexed detections. */ export declare function getStats(): IndexStats; /** * Get distinct technique IDs matching a prefix for autocomplete. */ export declare function getDistinctTechniqueIds(prefix: string, limit?: number): string[]; /** * Get distinct CVE IDs matching a prefix for autocomplete. */ export declare function getDistinctCves(prefix: string, limit?: number): string[]; /** * Get distinct process names matching a prefix for autocomplete. */ export declare function getDistinctProcessNames(prefix: string, limit?: number): string[]; /** * Validate a MITRE technique ID with suggestions. */ export declare function validateTechniqueId(id: string): ValidationResult; /** * Get all unique technique IDs with optional filtering. */ export declare function getTechniqueIds(filters?: TechniqueIdFilters): string[]; /** * Analyze coverage by tactic and identify strengths/weaknesses. */ export declare function analyzeCoverage(sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql' | 'jamf_protect'): CoverageReport; /** * Identify gaps based on a threat profile. */ export declare function identifyGaps(threatProfile: string, sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql' | 'jamf_protect'): GapAnalysis; /** * Suggest detections for a technique. */ export declare function suggestDetections(techniqueId: string, sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql' | 'jamf_protect'): DetectionSuggestion; /** * Generate an ATT&CK Navigator layer from detection coverage. */ export declare function generateNavigatorLayer(options: NavigatorLayerOptions): object; /** * Auto-extract procedure reference data from detections for a technique. * Clusters detections by behavioral category and generates procedure entries. */ export declare function autoExtractProcedures(techniqueId: string): { technique_id: string; procedures_generated: number; detection_count: number; }; /** * Extract procedures for ALL techniques in the database. * Loads hand-curated procedures first, then auto-extracts for the rest. * Called after indexing completes. */ export declare function extractAllProcedures(): { techniques_processed: number; procedures_generated: number; hand_curated_loaded: number; }; /** * Populate detection_techniques and technique_tactics junction tables * from existing detection data. Runs as a post-indexing bulk operation * in a single transaction for performance. */ export declare function populateJunctionTables(): { detection_techniques: number; technique_tactics: number; }; /** * Search detections returning only name, ID, and basic info. */ export declare function searchDetectionList(query: string, limit?: number): DetectionListItem[]; /** * List detections by source with optional name filter, returning lightweight results. */ export declare function listDetectionsBySourceLight(sourceType: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql' | 'jamf_protect', nameFilter?: string, limit?: number): DetectionListItem[]; /** * Compare detections across sources for a topic. */ export declare function compareDetectionsBySource(topic: string, limit?: number): SourceComparisonResult; /** * Get detection names and IDs matching a pattern, grouped by source. */ export declare function getDetectionNamesByPattern(pattern: string, sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql' | 'jamf_protect'): { source: string; detections: Array<{ name: string; id: string; }>; }[]; /** * Quick count of detections by source for a topic. */ export declare function countDetectionsBySource(topic: string): Record;