@panguard-ai/panguard-guard 0.1.0

package/dist/agent/analyze-agent.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Analyze Agent - Threat analysis with Dynamic Reasoning, Feedback Loop, and Attack Chain Awareness
+ * 分析代理 - 使用動態推理、回饋迴路和攻擊鏈感知進行威脅分析
+ *
+ * Second stage of the multi-agent pipeline. Receives DetectionResults,
+ * performs deep analysis using rule evidence, baseline comparison,
+ * attack chain correlation, feedback history, and optional AI reasoning,
+ * then produces a ThreatVerdict.
+ *
+ * @module @panguard-ai/panguard-guard/agent/analyze-agent
+ */
+import type { DetectionResult, ThreatVerdict, EnvironmentBaseline, AnalyzeLLM } from '../types.js';
+/** Feedback record for false positive/negative tracking */
+interface FeedbackRecord {
+    ruleId: string;
+    falsePositives: number;
+    truePositives: number;
+    lastUpdated: string;
+}
+/**
+ * Analyze Agent performs deep analysis on detected threats
+ * with feedback-driven confidence adjustment and attack chain awareness.
+ */
+export declare class AnalyzeAgent {
+    private readonly llm;
+    private analysisCount;
+    /** Feedback history: ruleId → FeedbackRecord */
+    private readonly feedbackHistory;
+    constructor(llm: AnalyzeLLM | null);
+    /**
+     * Analyze a detection result and produce a verdict
+     *
+     * Evidence collection pipeline:
+     * 1. Sigma rule match evidence (weighted 0.4) with feedback adjustment
+     * 2. Threat intelligence evidence
+     * 3. Baseline deviation check (weighted 0.3) with time-of-day awareness
+     * 4. Attack chain correlation boost
+     * 5. AI analysis if available (weighted 0.3)
+     * 6. Calculate final weighted confidence
+     * 7. Determine conclusion and recommended action
+     */
+    analyze(detection: DetectionResult, baseline: EnvironmentBaseline): Promise<ThreatVerdict>;
+    /**
+     * Record user feedback: mark a verdict as false positive or true positive.
+     * This adjusts future confidence for the same rule.
+     */
+    recordFeedback(ruleId: string, isFalsePositive: boolean): void;
+    /**
+     * Apply feedback adjustment to rule confidence.
+     * Rules with high false positive rate get reduced confidence.
+     * Rules with high true positive rate get boosted confidence.
+     */
+    private applyFeedbackAdjustment;
+    /**
+     * Get feedback statistics
+     */
+    getFeedbackStats(): Map<string, FeedbackRecord>;
+    /** Get total analysis count */
+    getAnalysisCount(): number;
+}
+export {};
+//# sourceMappingURL=analyze-agent.d.ts.map

package/dist/agent/analyze-agent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyze-agent.d.ts","sourceRoot":"","sources":["../../src/agent/analyze-agent.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EACV,eAAe,EACf,aAAa,EAGb,mBAAmB,EAEnB,UAAU,EAGX,MAAM,aAAa,CAAC;AAcrB,2DAA2D;AAC3D,UAAU,cAAc;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;CACrB;AAWD;;;GAGG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAoB;IACxC,OAAO,CAAC,aAAa,CAAK;IAE1B,gDAAgD;IAChD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAqC;gBAEzD,GAAG,EAAE,UAAU,GAAG,IAAI;IAIlC;;;;;;;;;;;OAWG;IACG,OAAO,CAAC,SAAS,EAAE,eAAe,EAAE,QAAQ,EAAE,mBAAmB,GAAG,OAAO,CAAC,aAAa,CAAC;IAuJhG;;;OAGG;IACH,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,eAAe,EAAE,OAAO,GAAG,IAAI;IAsB9D;;;;OAIG;IACH,OAAO,CAAC,uBAAuB;IAwB/B;;OAEG;IACH,gBAAgB,IAAI,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC;IAI/C,+BAA+B;IAC/B,gBAAgB,IAAI,MAAM;CAG3B"}

package/dist/agent/analyze-agent.js

@@ -0,0 +1,327 @@
+/**
+ * Analyze Agent - Threat analysis with Dynamic Reasoning, Feedback Loop, and Attack Chain Awareness
+ * 分析代理 - 使用動態推理、回饋迴路和攻擊鏈感知進行威脅分析
+ *
+ * Second stage of the multi-agent pipeline. Receives DetectionResults,
+ * performs deep analysis using rule evidence, baseline comparison,
+ * attack chain correlation, feedback history, and optional AI reasoning,
+ * then produces a ThreatVerdict.
+ *
+ * @module @panguard-ai/panguard-guard/agent/analyze-agent
+ */
+import { createLogger } from '@panguard-ai/core';
+import { checkDeviation } from '../memory/baseline.js';
+const logger = createLogger('panguard-guard:analyze-agent');
+/** Severity to base confidence mapping */
+const SEVERITY_CONFIDENCE = {
+    critical: 90,
+    high: 75,
+    medium: 55,
+    low: 35,
+    info: 15,
+};
+/** Time-of-day risk multiplier for unusual hours */
+const UNUSUAL_HOUR_MULTIPLIER = 1.15;
+/** Attack chain confidence boost per correlated event */
+const ATTACK_CHAIN_BOOST_PER_EVENT = 5;
+/** Max attack chain boost */
+const ATTACK_CHAIN_BOOST_MAX = 25;
+/**
+ * Analyze Agent performs deep analysis on detected threats
+ * with feedback-driven confidence adjustment and attack chain awareness.
+ */
+export class AnalyzeAgent {
+    llm;
+    analysisCount = 0;
+    /** Feedback history: ruleId → FeedbackRecord */
+    feedbackHistory = new Map();
+    constructor(llm) {
+        this.llm = llm;
+    }
+    /**
+     * Analyze a detection result and produce a verdict
+     *
+     * Evidence collection pipeline:
+     * 1. Sigma rule match evidence (weighted 0.4) with feedback adjustment
+     * 2. Threat intelligence evidence
+     * 3. Baseline deviation check (weighted 0.3) with time-of-day awareness
+     * 4. Attack chain correlation boost
+     * 5. AI analysis if available (weighted 0.3)
+     * 6. Calculate final weighted confidence
+     * 7. Determine conclusion and recommended action
+     */
+    async analyze(detection, baseline) {
+        logger.info(`Analyzing detection for event ${detection.event.id}`);
+        this.analysisCount++;
+        const evidenceList = [];
+        // Step 1: Collect rule match evidence with feedback adjustment
+        for (const match of detection.ruleMatches) {
+            const baseConfidence = SEVERITY_CONFIDENCE[match.severity] ?? 50;
+            const adjustedConfidence = this.applyFeedbackAdjustment(match.ruleId, baseConfidence);
+            evidenceList.push({
+                source: 'rule_match',
+                description: `Sigma rule matched: ${match.ruleName} (${match.ruleId})`,
+                confidence: adjustedConfidence,
+                data: { ruleId: match.ruleId, severity: match.severity },
+            });
+        }
+        // Step 2: Collect threat intel evidence
+        if (detection.threatIntelMatch) {
+            evidenceList.push({
+                source: 'threat_intel',
+                description: `Known malicious IP: ${detection.threatIntelMatch.ip} - ` +
+                    detection.threatIntelMatch.threat,
+                confidence: 85,
+                data: detection.threatIntelMatch,
+            });
+        }
+        // Step 3: Baseline deviation check with time-of-day awareness
+        const deviation = checkDeviation(baseline, detection.event);
+        if (deviation.isDeviation) {
+            let deviationConfidence = deviation.confidence;
+            // Boost confidence if event occurs at unusual hour (00:00-05:59)
+            const eventHour = new Date(detection.event.timestamp).getHours();
+            if (eventHour >= 0 && eventHour < 6) {
+                deviationConfidence = Math.min(100, Math.round(deviationConfidence * UNUSUAL_HOUR_MULTIPLIER));
+            }
+            evidenceList.push({
+                source: 'baseline_deviation',
+                description: deviation.description,
+                confidence: deviationConfidence,
+                data: {
+                    deviationType: deviation.deviationType,
+                    ...(eventHour >= 0 && eventHour < 6 ? { unusualHour: true, hour: eventHour } : {}),
+                },
+            });
+        }
+        // Step 4: Attack chain correlation boost
+        if (detection.attackChain) {
+            const chainBoost = Math.min(ATTACK_CHAIN_BOOST_MAX, detection.attackChain.eventCount * ATTACK_CHAIN_BOOST_PER_EVENT);
+            evidenceList.push({
+                source: 'rule_match', // counts toward rule weight
+                description: `Attack chain detected: ${detection.attackChain.eventCount} correlated events ` +
+                    `from ${detection.attackChain.sourceIP} within ${detection.attackChain.windowMs / 1000}s`,
+                confidence: Math.min(95, 70 + chainBoost),
+                data: {
+                    attackChain: true,
+                    eventCount: detection.attackChain.eventCount,
+                    sourceIP: detection.attackChain.sourceIP,
+                    uniqueRules: detection.attackChain.ruleIds.length,
+                },
+            });
+        }
+        // Step 5: AI analysis (if available)
+        let aiAnalysis = null;
+        let aiClassification = null;
+        if (this.llm) {
+            try {
+                const available = await this.llm.isAvailable();
+                if (available) {
+                    const prompt = buildAnalysisPrompt(detection, deviation);
+                    aiAnalysis = await this.llm.analyze(prompt);
+                    aiClassification = await this.llm.classify(detection.event);
+                    evidenceList.push({
+                        source: 'ai_analysis',
+                        description: aiAnalysis.summary,
+                        confidence: Math.round(aiAnalysis.confidence * 100),
+                        data: {
+                            severity: aiAnalysis.severity,
+                            recommendations: aiAnalysis.recommendations,
+                        },
+                    });
+                }
+                else {
+                    logger.info('AI unavailable, using rule-based analysis only');
+                }
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                logger.error(`AI analysis failed: ${msg}`);
+            }
+        }
+        // Step 6: Calculate final confidence (weighted average)
+        const hasAI = this.llm !== null && aiAnalysis !== null;
+        let finalConfidence = calculateFinalConfidence(evidenceList, hasAI);
+        // Contradiction detection: if rule says high but baseline says normal, slight reduce
+        const hasHighRule = evidenceList.some((e) => e.source === 'rule_match' &&
+            e.confidence >= 70 &&
+            !e.data?.['attackChain']);
+        const noDeviation = !deviation.isDeviation;
+        if (hasHighRule && noDeviation && baseline.learningComplete) {
+            finalConfidence = Math.max(0, finalConfidence - 10);
+            logger.info(`Contradiction: high rule match but no baseline deviation. Confidence reduced by 10.`);
+        }
+        // Step 7: Determine conclusion and recommended action
+        const conclusion = determineConclusion(finalConfidence);
+        const recommendedAction = determineAction(finalConfidence, detection);
+        const verdict = {
+            conclusion,
+            confidence: finalConfidence,
+            reasoning: buildReasoning(evidenceList, deviation, aiAnalysis),
+            evidence: evidenceList,
+            recommendedAction,
+            mitreTechnique: aiClassification?.technique,
+        };
+        logger.info(`Verdict for event ${detection.event.id}: ${conclusion} (confidence: ${finalConfidence}%)`);
+        return verdict;
+    }
+    // ---------------------------------------------------------------------------
+    // Feedback Loop
+    // ---------------------------------------------------------------------------
+    /**
+     * Record user feedback: mark a verdict as false positive or true positive.
+     * This adjusts future confidence for the same rule.
+     */
+    recordFeedback(ruleId, isFalsePositive) {
+        const existing = this.feedbackHistory.get(ruleId) ?? {
+            ruleId,
+            falsePositives: 0,
+            truePositives: 0,
+            lastUpdated: new Date().toISOString(),
+        };
+        if (isFalsePositive) {
+            existing.falsePositives += 1;
+        }
+        else {
+            existing.truePositives += 1;
+        }
+        existing.lastUpdated = new Date().toISOString();
+        this.feedbackHistory.set(ruleId, existing);
+        logger.info(`Feedback recorded for rule ${ruleId}: ` +
+            `FP=${existing.falsePositives}, TP=${existing.truePositives}`);
+    }
+    /**
+     * Apply feedback adjustment to rule confidence.
+     * Rules with high false positive rate get reduced confidence.
+     * Rules with high true positive rate get boosted confidence.
+     */
+    applyFeedbackAdjustment(ruleId, baseConfidence) {
+        const feedback = this.feedbackHistory.get(ruleId);
+        if (!feedback)
+            return baseConfidence;
+        const total = feedback.falsePositives + feedback.truePositives;
+        if (total < 3)
+            return baseConfidence; // Not enough data
+        const fpRate = feedback.falsePositives / total;
+        // High FP rate → reduce confidence (max -30%)
+        // Low FP rate → boost confidence (max +10%)
+        if (fpRate > 0.5) {
+            const reduction = Math.min(30, Math.round(fpRate * 40));
+            return Math.max(10, baseConfidence - reduction);
+        }
+        if (fpRate < 0.1 && total >= 5) {
+            const boost = Math.min(10, Math.round((1 - fpRate) * 10));
+            return Math.min(100, baseConfidence + boost);
+        }
+        return baseConfidence;
+    }
+    /**
+     * Get feedback statistics
+     */
+    getFeedbackStats() {
+        return new Map(this.feedbackHistory);
+    }
+    /** Get total analysis count */
+    getAnalysisCount() {
+        return this.analysisCount;
+    }
+}
+// ---------------------------------------------------------------------------
+// Internal scoring functions
+// ---------------------------------------------------------------------------
+function calculateFinalConfidence(evidence, hasAI) {
+    const bySource = groupBySource(evidence);
+    const ruleConfidence = maxConfidence(bySource['rule_match']);
+    const baselineConfidence = maxConfidence(bySource['baseline_deviation']);
+    const threatIntelConfidence = maxConfidence(bySource['threat_intel']);
+    const aiConfidence = maxConfidence(bySource['ai_analysis']);
+    const ebpfConfidence = Math.max(maxConfidence(bySource['falco']), maxConfidence(bySource['suricata']));
+    const ruleScore = Math.max(ruleConfidence, threatIntelConfidence);
+    const hasEbpf = ebpfConfidence > 0;
+    if (hasEbpf && hasAI) {
+        return Math.round(ebpfConfidence * 0.2 + ruleScore * 0.3 + baselineConfidence * 0.2 + aiConfidence * 0.3);
+    }
+    if (hasEbpf) {
+        return Math.round(ebpfConfidence * 0.25 + ruleScore * 0.4 + baselineConfidence * 0.35);
+    }
+    if (hasAI) {
+        return Math.round(ruleScore * 0.4 + baselineConfidence * 0.3 + aiConfidence * 0.3);
+    }
+    return Math.round(ruleScore * 0.6 + baselineConfidence * 0.4);
+}
+function groupBySource(evidence) {
+    const result = {};
+    for (const e of evidence) {
+        const key = e.source;
+        if (!result[key]) {
+            result[key] = [];
+        }
+        result[key].push(e);
+    }
+    return result;
+}
+function maxConfidence(items) {
+    if (!items || items.length === 0)
+        return 0;
+    return Math.max(...items.map((e) => e.confidence));
+}
+function determineConclusion(confidence) {
+    if (confidence >= 75)
+        return 'malicious';
+    if (confidence >= 40)
+        return 'suspicious';
+    return 'benign';
+}
+function determineAction(confidence, detection) {
+    const hasCritical = detection.ruleMatches.some((m) => m.severity === 'critical');
+    const hasAttackChain = !!detection.attackChain;
+    // Attack chains lower the auto-respond threshold
+    const autoThreshold = hasAttackChain ? 75 : 85;
+    if (confidence >= autoThreshold || (hasCritical && confidence >= 70)) {
+        if (detection.event.source === 'network' || detection.event.source === 'suricata')
+            return 'block_ip';
+        if (detection.event.source === 'process' || detection.event.source === 'falco')
+            return 'kill_process';
+        return 'notify';
+    }
+    if (confidence >= 50)
+        return 'notify';
+    return 'log_only';
+}
+function buildAnalysisPrompt(detection, deviation) {
+    const parts = [
+        'Security Event Analysis',
+        `Event: ${detection.event.description}`,
+        `Source: ${detection.event.source}`,
+        `Severity: ${detection.event.severity}`,
+        `Category: ${detection.event.category}`,
+    ];
+    if (detection.ruleMatches.length > 0) {
+        parts.push(`Rule Matches: ${detection.ruleMatches.map((m) => m.ruleName).join(', ')}`);
+    }
+    if (detection.threatIntelMatch) {
+        parts.push(`Threat Intel: ${detection.threatIntelMatch.ip} - ${detection.threatIntelMatch.threat}`);
+    }
+    if (deviation.isDeviation) {
+        parts.push(`Baseline Deviation: ${deviation.description}`);
+    }
+    if (detection.attackChain) {
+        parts.push(`Attack Chain: ${detection.attackChain.eventCount} correlated events from ${detection.attackChain.sourceIP}`);
+    }
+    parts.push('Analyze the threat level and provide recommendations.');
+    return parts.join('\n');
+}
+function buildReasoning(evidence, _deviation, aiAnalysis) {
+    const parts = [];
+    for (const e of evidence) {
+        parts.push(`[${e.source}] ${e.description} (confidence: ${e.confidence}%)`);
+    }
+    if (aiAnalysis) {
+        parts.push(`AI Summary: ${aiAnalysis.summary}`);
+        if (aiAnalysis.recommendations.length > 0) {
+            parts.push(`Recommendations: ${aiAnalysis.recommendations.join('; ')}`);
+        }
+    }
+    return parts.join('\n');
+}
+//# sourceMappingURL=analyze-agent.js.map

package/dist/agent/analyze-agent.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyze-agent.js","sourceRoot":"","sources":["../../src/agent/analyze-agent.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAYjD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAEvD,MAAM,MAAM,GAAG,YAAY,CAAC,8BAA8B,CAAC,CAAC;AAE5D,0CAA0C;AAC1C,MAAM,mBAAmB,GAA2B;IAClD,QAAQ,EAAE,EAAE;IACZ,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,EAAE;IACV,GAAG,EAAE,EAAE;IACP,IAAI,EAAE,EAAE;CACT,CAAC;AAUF,oDAAoD;AACpD,MAAM,uBAAuB,GAAG,IAAI,CAAC;AAErC,yDAAyD;AACzD,MAAM,4BAA4B,GAAG,CAAC,CAAC;AAEvC,6BAA6B;AAC7B,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAElC;;;GAGG;AACH,MAAM,OAAO,YAAY;IACN,GAAG,CAAoB;IAChC,aAAa,GAAG,CAAC,CAAC;IAE1B,gDAAgD;IAC/B,eAAe,GAAG,IAAI,GAAG,EAA0B,CAAC;IAErE,YAAY,GAAsB;QAChC,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,OAAO,CAAC,SAA0B,EAAE,QAA6B;QACrE,MAAM,CAAC,IAAI,CAAC,iCAAiC,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;QACnE,IAAI,CAAC,aAAa,EAAE,CAAC;QAErB,MAAM,YAAY,GAAe,EAAE,CAAC;QAEpC,+DAA+D;QAC/D,KAAK,MAAM,KAAK,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;YAC1C,MAAM,cAAc,GAAG,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACjE,MAAM,kBAAkB,GAAG,IAAI,CAAC,uBAAuB,CAAC,KAAK,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;YAEtF,YAAY,CAAC,IAAI,CAAC;gBAChB,MAAM,EAAE,YAAY;gBACpB,WAAW,EAAE,uBAAuB,KAAK,CAAC,QAAQ,KAAK,KAAK,CAAC,MAAM,GAAG;gBACtE,UAAU,EAAE,kBAAkB;gBAC9B,IAAI,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE;aACzD,CAAC,CAAC;QACL,CAAC;QAED,wCAAwC;QACxC,IAAI,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAC/B,YAAY,CAAC,IAAI,CAAC;gBAChB,MAAM,EAAE,cAAc;gBACtB,WAAW,EACT,uBAAuB,SAAS,CAAC,gBAAgB,CAAC,EAAE,KAAK;oBACzD,SAAS,CAAC,gBAAgB,CAAC,MAAM;gBACnC,UAAU,EAAE,EAAE;gBACd,IAAI,EAAE,SAAS,CAAC,gBAAgB;aACjC,CAAC,CAAC;QACL,CAAC;QAED,8DAA8D;QAC9D,MAAM,SAAS,GAAoB,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QAC7E,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;YAC1B,IAAI,mBAAmB,GAAG,SAAS,CAAC,UAAU,CAAC;YAE/C,iEAAiE;YACjE,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,CAAC;YACjE,IAAI,SAAS,IAAI,CAAC,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBACpC,mBAAmB,GAAG,IAAI,CAAC,GAAG,CAC5B,GAAG,EACH,IAAI,CAAC,KAAK,CAAC,mBAAmB,GAAG,uBAAuB,CAAC,CAC1D,CAAC;YACJ,CAAC;YAED,YAAY,CAAC,IAAI,CAAC;gBAChB,MAAM,EAAE,oBAAoB;gBAC5B,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,UAAU,EAAE,mBAAmB;gBAC/B,IAAI,EAAE;oBACJ,aAAa,EAAE,SAAS,CAAC,aAAa;oBACtC,GAAG,CAAC,SAAS,IAAI,CAAC,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBACnF;aACF,CAAC,CAAC;QACL,CAAC;QAED,yCAAyC;QACzC,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;YAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CACzB,sBAAsB,EACtB,SAAS,CAAC,WAAW,CAAC,UAAU,GAAG,4BAA4B,CAChE,CAAC;YAEF,YAAY,CAAC,IAAI,CAAC;gBAChB,MAAM,EAAE,YAAY,EAAE,4BAA4B;gBAClD,WAAW,EACT,0BAA0B,SAAS,CAAC,WAAW,CAAC,UAAU,qBAAqB;oBAC/E,QAAQ,SAAS,CAAC,WAAW,CAAC,QAAQ,WAAW,SAAS,CAAC,WAAW,CAAC,QAAQ,GAAG,IAAI,GAAG;gBAC3F,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,GAAG,UAAU,CAAC;gBACzC,IAAI,EAAE;oBACJ,WAAW,EAAE,IAAI;oBACjB,UAAU,EAAE,SAAS,CAAC,WAAW,CAAC,UAAU;oBAC5C,QAAQ,EAAE,SAAS,CAAC,WAAW,CAAC,QAAQ;oBACxC,WAAW,EAAE,SAAS,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM;iBAClD;aACF,CAAC,CAAC;QACL,CAAC;QAED,qCAAqC;QACrC,IAAI,UAAU,GAA6B,IAAI,CAAC;QAChD,IAAI,gBAAgB,GAAmC,IAAI,CAAC;QAE5D,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBAC/C,IAAI,SAAS,EAAE,CAAC;oBACd,MAAM,MAAM,GAAG,mBAAmB,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;oBACzD,UAAU,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;oBAC5C,gBAAgB,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;oBAE5D,YAAY,CAAC,IAAI,CAAC;wBAChB,MAAM,EAAE,aAAa;wBACrB,WAAW,EAAE,UAAU,CAAC,OAAO;wBAC/B,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC;wBACnD,IAAI,EAAE;4BACJ,QAAQ,EAAE,UAAU,CAAC,QAAQ;4BAC7B,eAAe,EAAE,UAAU,CAAC,eAAe;yBAC5C;qBACF,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;gBAChE,CAAC;YACH,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC7D,MAAM,CAAC,KAAK,CAAC,uBAAuB,GAAG,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,KAAK,IAAI,IAAI,UAAU,KAAK,IAAI,CAAC;QACvD,IAAI,eAAe,GAAG,wBAAwB,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QAEpE,qFAAqF;QACrF,MAAM,WAAW,GAAG,YAAY,CAAC,IAAI,CACnC,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,MAAM,KAAK,YAAY;YACzB,CAAC,CAAC,UAAU,IAAI,EAAE;YAClB,CAAE,CAAC,CAAC,IAAgC,EAAE,CAAC,aAAa,CAAC,CACxD,CAAC;QACF,MAAM,WAAW,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC;QAC3C,IAAI,WAAW,IAAI,WAAW,IAAI,QAAQ,CAAC,gBAAgB,EAAE,CAAC;YAC5D,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,eAAe,GAAG,EAAE,CAAC,CAAC;YACpD,MAAM,CAAC,IAAI,CACT,qFAAqF,CACtF,CAAC;QACJ,CAAC;QAED,sDAAsD;QACtD,MAAM,UAAU,GAAG,mBAAmB,CAAC,eAAe,CAAC,CAAC;QACxD,MAAM,iBAAiB,GAAG,eAAe,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;QAEtE,MAAM,OAAO,GAAkB;YAC7B,UAAU;YACV,UAAU,EAAE,eAAe;YAC3B,SAAS,EAAE,cAAc,CAAC,YAAY,EAAE,SAAS,EAAE,UAAU,CAAC;YAC9D,QAAQ,EAAE,YAAY;YACtB,iBAAiB;YACjB,cAAc,EAAE,gBAAgB,EAAE,SAAS;SAC5C,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,qBAAqB,SAAS,CAAC,KAAK,CAAC,EAAE,KAAK,UAAU,iBAAiB,eAAe,IAAI,CAC3F,CAAC;QAEF,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,8EAA8E;IAC9E,gBAAgB;IAChB,8EAA8E;IAE9E;;;OAGG;IACH,cAAc,CAAC,MAAc,EAAE,eAAwB;QACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI;YACnD,MAAM;YACN,cAAc,EAAE,CAAC;YACjB,aAAa,EAAE,CAAC;YAChB,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACtC,CAAC;QAEF,IAAI,eAAe,EAAE,CAAC;YACpB,QAAQ,CAAC,cAAc,IAAI,CAAC,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,aAAa,IAAI,CAAC,CAAC;QAC9B,CAAC;QACD,QAAQ,CAAC,WAAW,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAEhD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC3C,MAAM,CAAC,IAAI,CACT,8BAA8B,MAAM,IAAI;YACtC,MAAM,QAAQ,CAAC,cAAc,QAAQ,QAAQ,CAAC,aAAa,EAAE,CAChE,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACK,uBAAuB,CAAC,MAAc,EAAE,cAAsB;QACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClD,IAAI,CAAC,QAAQ;YAAE,OAAO,cAAc,CAAC;QAErC,MAAM,KAAK,GAAG,QAAQ,CAAC,cAAc,GAAG,QAAQ,CAAC,aAAa,CAAC;QAC/D,IAAI,KAAK,GAAG,CAAC;YAAE,OAAO,cAAc,CAAC,CAAC,kBAAkB;QAExD,MAAM,MAAM,GAAG,QAAQ,CAAC,cAAc,GAAG,KAAK,CAAC;QAE/C,8CAA8C;QAC9C,4CAA4C;QAC5C,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC;YACxD,OAAO,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,cAAc,GAAG,SAAS,CAAC,CAAC;QAClD,CAAC;QAED,IAAI,MAAM,GAAG,GAAG,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,GAAG,KAAK,CAAC,CAAC;QAC/C,CAAC;QAED,OAAO,cAAc,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,gBAAgB;QACd,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACvC,CAAC;IAED,+BAA+B;IAC/B,gBAAgB;QACd,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;CACF;AAED,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E,SAAS,wBAAwB,CAAC,QAAoB,EAAE,KAAc;IACpE,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAEzC,MAAM,cAAc,GAAG,aAAa,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;IAC7D,MAAM,kBAAkB,GAAG,aAAa,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,CAAC;IACzE,MAAM,qBAAqB,GAAG,aAAa,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC;IACtE,MAAM,YAAY,GAAG,aAAa,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC;IAC5D,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAC7B,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAChC,aAAa,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CACpC,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,qBAAqB,CAAC,CAAC;IAClE,MAAM,OAAO,GAAG,cAAc,GAAG,CAAC,CAAC;IAEnC,IAAI,OAAO,IAAI,KAAK,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC,KAAK,CACf,cAAc,GAAG,GAAG,GAAG,SAAS,GAAG,GAAG,GAAG,kBAAkB,GAAG,GAAG,GAAG,YAAY,GAAG,GAAG,CACvF,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC,KAAK,CAAC,cAAc,GAAG,IAAI,GAAG,SAAS,GAAG,GAAG,GAAG,kBAAkB,GAAG,IAAI,CAAC,CAAC;IACzF,CAAC;IAED,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,GAAG,GAAG,kBAAkB,GAAG,GAAG,GAAG,YAAY,GAAG,GAAG,CAAC,CAAC;IACrF,CAAC;IAED,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,GAAG,GAAG,kBAAkB,GAAG,GAAG,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,aAAa,CAAC,QAAoB;IACzC,MAAM,MAAM,GAA+B,EAAE,CAAC;IAC9C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YACjB,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QACnB,CAAC;QACD,MAAM,CAAC,GAAG,CAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,aAAa,CAAC,KAAkB;IACvC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAC3C,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,mBAAmB,CAAC,UAAkB;IAC7C,IAAI,UAAU,IAAI,EAAE;QAAE,OAAO,WAAW,CAAC;IACzC,IAAI,UAAU,IAAI,EAAE;QAAE,OAAO,YAAY,CAAC;IAC1C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,eAAe,CAAC,UAAkB,EAAE,SAA0B;IACrE,MAAM,WAAW,GAAG,SAAS,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;IACjF,MAAM,cAAc,GAAG,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC;IAE/C,iDAAiD;IACjD,MAAM,aAAa,GAAG,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAE/C,IAAI,UAAU,IAAI,aAAa,IAAI,CAAC,WAAW,IAAI,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;QACrE,IAAI,SAAS,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,SAAS,CAAC,KAAK,CAAC,MAAM,KAAK,UAAU;YAC/E,OAAO,UAAU,CAAC;QACpB,IAAI,SAAS,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,SAAS,CAAC,KAAK,CAAC,MAAM,KAAK,OAAO;YAC5E,OAAO,cAAc,CAAC;QACxB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,UAAU,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC;IACtC,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,mBAAmB,CAAC,SAA0B,EAAE,SAA0B;IACjF,MAAM,KAAK,GAAa;QACtB,yBAAyB;QACzB,UAAU,SAAS,CAAC,KAAK,CAAC,WAAW,EAAE;QACvC,WAAW,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE;QACnC,aAAa,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE;QACvC,aAAa,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE;KACxC,CAAC;IAEF,IAAI,SAAS,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrC,KAAK,CAAC,IAAI,CAAC,iBAAiB,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,IAAI,SAAS,CAAC,gBAAgB,EAAE,CAAC;QAC/B,KAAK,CAAC,IAAI,CACR,iBAAiB,SAAS,CAAC,gBAAgB,CAAC,EAAE,MAAM,SAAS,CAAC,gBAAgB,CAAC,MAAM,EAAE,CACxF,CAAC;IACJ,CAAC;IAED,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,uBAAuB,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CACR,iBAAiB,SAAS,CAAC,WAAW,CAAC,UAAU,2BAA2B,SAAS,CAAC,WAAW,CAAC,QAAQ,EAAE,CAC7G,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IAEpE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,cAAc,CACrB,QAAoB,EACpB,UAA2B,EAC3B,UAAoC;IAEpC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,WAAW,iBAAiB,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,eAAe,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC;QAChD,IAAI,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1C,KAAK,CAAC,IAAI,CAAC,oBAAoB,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/agent/detect-agent.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Detect Agent - Event detection through rules, threat intelligence, and correlation
+ * 偵測代理 - 透過規則、威脅情報和事件關聯進行事件偵測
+ *
+ * First stage of the multi-agent pipeline. Receives raw SecurityEvents,
+ * runs them through the Sigma rule engine and threat intelligence feeds,
+ * correlates events within a sliding time window to detect attack chains,
+ * and emits DetectionResults for events that match.
+ *
+ * @module @panguard-ai/panguard-guard/agent/detect-agent
+ */
+import type { SecurityEvent, RuleEngine } from '@panguard-ai/core';
+import type { DetectionResult } from '../types.js';
+/**
+ * Detect Agent processes security events through rule matching,
+ * threat intelligence, event correlation, and deduplication.
+ */
+export declare class DetectAgent {
+    private readonly ruleEngine;
+    private detectionCount;
+    /** Sliding window for event correlation */
+    private readonly correlationBuffer;
+    /** Deduplication tracker: key → last detection timestamp */
+    private readonly dedupMap;
+    constructor(ruleEngine: RuleEngine);
+    /**
+     * Process a security event and detect threats
+     *
+     * Steps:
+     * 1. Match the event against loaded Sigma rules
+     * 2. Check threat intelligence for network events (IP lookup, IPv4 + IPv6)
+     * 3. Deduplicate: skip if same source+rule fired within dedup window
+     * 4. Correlate: check sliding window for attack chain patterns
+     * 5. If any matches found, return a DetectionResult; otherwise null
+     */
+    detect(event: SecurityEvent): DetectionResult | null;
+    /**
+     * Extract IP address from event metadata (IPv4 + IPv6 support)
+     */
+    private extractIP;
+    /** Build a dedup key from event source + matched rule IDs */
+    private buildDedupKey;
+    /** Check if this key was seen within the dedup window */
+    private isDuplicate;
+    /** Record a dedup entry and evict old entries if over limit */
+    private recordDedup;
+    /**
+     * Correlate events within a sliding time window.
+     * Returns attack chain metadata if multiple events from same source detected.
+     */
+    private correlate;
+    /** Get total number of detections */
+    getDetectionCount(): number;
+    /** Get current correlation buffer size (for monitoring) */
+    getCorrelationBufferSize(): number;
+    /** Get current dedup map size (for monitoring) */
+    getDedupMapSize(): number;
+}
+//# sourceMappingURL=detect-agent.d.ts.map

package/dist/agent/detect-agent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect-agent.d.ts","sourceRoot":"","sources":["../../src/agent/detect-agent.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAa,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAkCnD;;;GAGG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,cAAc,CAAK;IAE3B,2CAA2C;IAC3C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAyB;IAE3D,4DAA4D;IAC5D,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA6B;gBAE1C,UAAU,EAAE,UAAU;IAIlC;;;;;;;;;OASG;IACH,MAAM,CAAC,KAAK,EAAE,aAAa,GAAG,eAAe,GAAG,IAAI;IA4DpD;;OAEG;IACH,OAAO,CAAC,SAAS;IA4BjB,6DAA6D;IAC7D,OAAO,CAAC,aAAa;IASrB,yDAAyD;IACzD,OAAO,CAAC,WAAW;IAMnB,+DAA+D;IAC/D,OAAO,CAAC,WAAW;IAkBnB;;;OAGG;IACH,OAAO,CAAC,SAAS;IA6DjB,qCAAqC;IACrC,iBAAiB,IAAI,MAAM;IAI3B,2DAA2D;IAC3D,wBAAwB,IAAI,MAAM;IAIlC,kDAAkD;IAClD,eAAe,IAAI,MAAM;CAG1B"}