/** * Detection Types * Core detection interfaces for Sigma, Splunk ESCU, Elastic, KQL, Sublime, and CrowdStrike CQL rules */ /** * Unified detection schema - normalized from Sigma, Splunk ESCU, Elastic, KQL, Sublime, and CrowdStrike CQL sources */ export interface Detection { id: string; name: string; description: string; query: string; source_type: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql' | 'jamf_protect'; mitre_ids: string[]; logsource_category: string | null; logsource_product: string | null; logsource_service: string | null; severity: string | null; status: string | null; author: string | null; date_created: string | null; date_modified: string | null; references: string[]; falsepositives: string[]; tags: string[]; file_path: string; raw_yaml: string; cves: string[]; analytic_stories: string[]; data_sources: string[]; detection_type: string | null; asset_type: string | null; security_domain: string | null; process_names: string[]; file_paths: string[]; registry_paths: string[]; mitre_tactics: string[]; platforms: string[]; kql_category: string | null; kql_tags: string[]; kql_keywords: string[]; sublime_attack_types: string[]; sublime_detection_methods: string[]; sublime_tactics: string[]; } /** * Lightweight detection summary - for fast retrieval without full query/yaml bloat */ export interface DetectionSummary { id: string; name: string; source_type: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql' | 'jamf_protect'; mitre_ids: string[]; severity: string | null; mitre_tactics: string[]; } /** * Sublime Security rule structure (YAML format with MQL source) * @see https://github.com/sublime-security/sublime-rules */ export interface SublimeRule { name: string; description: string; type: 'rule' | 'exclusion'; source: string; id?: string; severity?: 'low' | 'medium' | 'high' | 'critical'; references?: string[]; tags?: string[]; authors?: Array<{ name?: string; twitter?: string; github?: string; email?: string; }>; attack_types?: string[]; tactics_and_techniques?: string[]; detection_methods?: string[]; false_positives?: string[]; } /** * Sigma rule structure based on official Sigma specification * @see https://github.com/SigmaHQ/sigma-specification */ export interface SigmaRule { title: string; id?: string; name?: string; status?: 'stable' | 'test' | 'experimental' | 'deprecated' | 'unsupported'; description?: string; license?: string; author?: string; references?: string[]; date?: string; modified?: string; logsource: { category?: string; product?: string; service?: string; definition?: string; }; detection: Record; fields?: string[]; falsepositives?: string | string[]; level?: 'informational' | 'low' | 'medium' | 'high' | 'critical'; tags?: string[]; related?: Array<{ id: string; type: string; }>; scope?: string[]; taxonomy?: string; } /** * Splunk ESCU (Enterprise Security Content Updates) detection structure */ export interface SplunkDetection { name: string; id: string; version?: number; date?: string; author?: string; status?: string; type?: string; description?: string; data_source?: string[]; search: string; how_to_implement?: string; known_false_positives?: string; references?: string[]; tags?: { analytic_story?: string[]; asset_type?: string; mitre_attack_id?: string[]; product?: string[]; security_domain?: string; cve?: string[]; [key: string]: unknown; }; } /** * Elastic detection rule structure (TOML format) * @see https://github.com/elastic/detection-rules */ export interface ElasticRule { metadata: { creation_date?: string; integration?: string[]; maturity?: string; updated_date?: string; }; rule: { author?: string[]; description?: string; from?: string; index?: string[]; language?: string; license?: string; name: string; references?: string[]; risk_score?: number; rule_id: string; severity?: string; tags?: string[]; type?: string; query?: string; note?: string; threat?: ElasticThreat[]; false_positives?: string[]; }; } /** * Elastic MITRE ATT&CK threat mapping */ export interface ElasticThreat { framework?: string; tactic?: { id?: string; name?: string; reference?: string; }; technique?: ElasticTechnique[]; } /** * Elastic MITRE ATT&CK technique reference */ export interface ElasticTechnique { id?: string; name?: string; reference?: string; subtechnique?: ElasticTechnique[]; } /** * Jamf Protect custom analytic detection structure (YAML with NSPredicate filter). * @see https://github.com/jamf/jamfprotect/tree/main/custom_analytic_detections */ export interface JamfProtectRule { name: string; uuid?: string; label?: string; shortDescription?: string; longDescription?: string; level?: number; inputType?: 'GPProcessEvent' | 'GPFSEvent' | 'GPKeylogRegisterEvent' | 'GPUSBEvent' | string; filter: string; severity?: 'Informational' | 'Low' | 'Medium' | 'High' | 'Critical' | string; categories?: string[]; MitreCategories?: string[] | null; tags?: string[] | null; snapshotFiles?: string[] | null; actions?: Array<{ name?: string; } | string>; context?: string[] | null; version?: number; remediation?: string | null; } /** * CQL Hub rule structure (CrowdStrike Query Language) * @see https://github.com/ByteRay-Labs/Query-Hub */ export interface CqlHubRule { name: string; cql: string; mitre_ids?: string[]; description?: string; author?: string; log_sources?: string[]; tags?: string[]; cs_required_modules?: string[]; explanation?: string; }