@vorionsys/security 1.0.0

package/dist/security/incident/playbooks/ransomware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ransomware.js","sourceRoot":"","sources":["../../../../src/security/incident/playbooks/ransomware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACzD,OAAO,EAML,YAAY,EACZ,gBAAgB,EAChB,mBAAmB,EACnB,QAAQ,GACT,MAAM,aAAa,CAAC;AAErB,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,mBAAmB,EAAE,CAAC,CAAC;AAEhE,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;;;;;;;;;;;;;GAcG;AACH,MAAM,eAAe,GAAwB;IAC3C,kEAAkE;IAClE,4EAA4E;IAC5E;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,4BAA4B;QAClC,IAAI,EAAE,QAAQ,CAAC,SAAS;QACxB,WAAW,EAAE,sPAAsP;QACnQ,QAAQ,EAAE,gBAAgB,EAAE,iCAAiC;QAC7D,OAAO,EAAE,KAAK,EAAE,0BAA0B;QAC1C,gBAAgB,EAAE,KAAK,EAAE,6CAA6C;QACtE,SAAS,EAAE,OAAO;QAClB,aAAa,EAAE,CAAC;QAChB,QAAQ,EAAE;YACR,iBAAiB,EAAE,KAAK,EAAE,uCAAuC;YACjE,gBAAgB,EAAE,IAAI;YACtB,kBAAkB,EAAE,IAAI;YACxB,8BAA8B,EAAE,IAAI;SACrC;KACF;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,oCAAoC;QAC1C,IAAI,EAAE,QAAQ,CAAC,SAAS;QACxB,WAAW,EAAE,yIAAyI;QACtJ,QAAQ,EAAE,UAAU,EAAE,2BAA2B;QACjD,OAAO,EAAE,KAAK,EAAE,WAAW;QAC3B,gBAAgB,EAAE,KAAK,EAAE,oBAAoB;QAC7C,SAAS,EAAE,UAAU,EAAE,oCAAoC;QAC3D,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,CAAC,WAAW,CAAC;QAC3B,QAAQ,EAAE;YACR,SAAS,EAAE,eAAe;YAC1B,0BAA0B,EAAE,IAAI;YAChC,0BAA0B,EAAE,IAAI;SACjC;KACF;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,gCAAgC;QACtC,IAAI,EAAE,QAAQ,CAAC,SAAS;QACxB,WAAW,EAAE,8HAA8H;QAC3I,QAAQ,EAAE,qBAAqB,EAAE,sCAAsC;QACvE,OAAO,EAAE,KAAK;QACd,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU;QACrB,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,CAAC,WAAW,CAAC;QAC3B,QAAQ,EAAE;YACR,gBAAgB,EAAE,sBAAsB;YACxC,QAAQ,EAAE,UAAU;YACpB,iBAAiB,EAAE,IAAI;SACxB;KACF;IAED,sCAAsC;IACtC;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,8BAA8B;QACpC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;KAcZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,4BAA4B;QAClC,IAAI,EAAE,QAAQ,CAAC,SAAS;QACxB,WAAW,EAAE,0HAA0H;QACvI,QAAQ,EAAE,kBAAkB,EAAE,mCAAmC;QACjE,OAAO,EAAE,MAAM,EAAE,YAAY;QAC7B,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,WAAW,CAAC;QAC3B,QAAQ,EAAE;YACR,iBAAiB,EAAE,qBAAqB;YACxC,6BAA6B,EAAE,IAAI;YACnC,wBAAwB,EAAE,IAAI;SAC/B;KACF;IAED,6BAA6B;IAC7B;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,0BAA0B;QAChC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;;KAgBZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,sBAAsB;QAC5B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;;;;KAkBZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IAED,+BAA+B;IAC/B;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,6BAA6B;QACnC,IAAI,EAAE,QAAQ,CAAC,SAAS;QACxB,WAAW,EAAE,2MAA2M;QACxN,QAAQ,EAAE,kBAAkB,EAAE,mCAAmC;QACjE,OAAO,EAAE,MAAM,EAAE,aAAa;QAC9B,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM,EAAE,6BAA6B;QAChD,YAAY,EAAE,CAAC,WAAW,CAAC;QAC3B,QAAQ,EAAE;YACR,aAAa,EAAE;gBACb,oBAAoB;gBACpB,cAAc;gBACd,iBAAiB;gBACjB,aAAa;gBACb,MAAM;gBACN,iBAAiB;gBACjB,UAAU;aACX;YACD,sBAAsB,EAAE,IAAI;YAC5B,eAAe,EAAE,IAAI;YACrB,mBAAmB,EAAE,IAAI;SAC1B;KACF;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,yBAAyB;QAC/B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;KAeZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IAED,mCAAmC;IACnC;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,8BAA8B;QACpC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;KAYZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;KAC1C;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,oBAAoB;QAC1B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;;KAgBZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,uCAAuC;QAC7C,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;;;;;KAmBZ;QACD,gBAAgB,EAAE,IAAI;QACtB,SAAS,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,gBAAgB,CAAC;QAC9C,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,YAAY,CAAC;KAC7B;IAED,sCAAsC;IACtC;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,0BAA0B;QAChC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;;;;;;;;;KAuBZ;QACD,gBAAgB,EAAE,IAAI;QACtB,SAAS,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,gBAAgB,CAAC;QACrD,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KAC3C;IAED,uBAAuB;IACvB;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gCAAgC;QACtC,IAAI,EAAE,QAAQ,CAAC,SAAS;QACxB,WAAW,EAAE,+HAA+H;QAC5I,QAAQ,EAAE,oBAAoB,EAAE,qCAAqC;QACrE,OAAO,EAAE,MAAM,EAAE,YAAY;QAC7B,gBAAgB,EAAE,KAAK,EAAE,6BAA6B;QACtD,SAAS,EAAE,MAAM;QACjB,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,CAAC,WAAW,CAAC;QAC3B,QAAQ,EAAE;YACR,UAAU,EAAE,uBAAuB;YACnC,kBAAkB,EAAE,IAAI;YACxB,iBAAiB,EAAE,IAAI;YACvB,sBAAsB,EAAE,IAAI;SAC7B;KACF;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,mBAAmB;QACzB,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;;KAgBZ;QACD,gBAAgB,EAAE,IAAI;QACtB,SAAS,EAAE,CAAC,eAAe,CAAC;QAC5B,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,uBAAuB;QAC7B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;;KAgBZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,YAAY,CAAC;KAC7B;IAED,oBAAoB;IACpB;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,4BAA4B;QAClC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;;;KAiBZ;QACD,gBAAgB,EAAE,IAAI;QACtB,SAAS,EAAE,CAAC,oBAAoB,EAAE,iBAAiB,CAAC;QACpD,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,YAAY,CAAC;KAC7B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,2BAA2B;QACjC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;KAYZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;KAYZ;QACD,gBAAgB,EAAE,IAAI;QACtB,SAAS,EAAE,CAAC,oBAAoB,EAAE,eAAe,EAAE,MAAM,CAAC;QAC1D,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,YAAY,CAAC;KAC7B;IAED,yBAAyB;IACzB;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,mCAAmC;QACzC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;KAUZ;QACD,gBAAgB,EAAE,IAAI;QACtB,SAAS,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC;QAC3B,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,YAAY,CAAC;KAC7B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,sBAAsB;QAC5B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;KAcZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,YAAY,CAAC;KAC7B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,2BAA2B;QACjC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;KAaZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,YAAY,CAAC;KAC7B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,0BAA0B;QAChC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;KAeZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,YAAY,CAAC;KAC7B;CACF,CAAC;AAEF,MAAM,iBAAiB,GAAuB;IAC5C;QACE,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,YAAY,CAAC,UAAU;KAC/B;CACF,CAAC;AAEF,MAAM,aAAa,GAAyB;IAC1C,mDAAmD;IACnD;QACE,OAAO,EAAE,mBAAmB,CAAC,SAAS;QACtC,MAAM,EAAE,iBAAiB;QACzB,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;IACD;QACE,OAAO,EAAE,mBAAmB,CAAC,SAAS;QACtC,MAAM,EAAE,qBAAqB;QAC7B,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;IACD;QACE,OAAO,EAAE,mBAAmB,CAAC,KAAK;QAClC,MAAM,EAAE,qBAAqB;QAC7B,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;IACD;QACE,OAAO,EAAE,mBAAmB,CAAC,KAAK;QAClC,MAAM,EAAE,mBAAmB;QAC3B,cAAc,EAAE,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACrC,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;IACD;QACE,OAAO,EAAE,mBAAmB,CAAC,KAAK;QAClC,MAAM,EAAE,sBAAsB;QAC9B,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;IACD;QACE,OAAO,EAAE,mBAAmB,CAAC,KAAK;QAClC,MAAM,EAAE,mBAAmB;QAC3B,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;IACD;QACE,OAAO,EAAE,mBAAmB,CAAC,KAAK;QAClC,MAAM,EAAE,wBAAwB;QAChC,cAAc,EAAE,CAAC,gBAAgB,CAAC,EAAE,EAAE,gBAAgB,CAAC,EAAE,CAAC;QAC1D,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;IACD;QACE,OAAO,EAAE,mBAAmB,CAAC,GAAG;QAChC,MAAM,EAAE,YAAY;QACpB,cAAc,EAAE,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACrC,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;CACF,CAAC;AAEF,MAAM,UAAU,GAAqB;IACnC,OAAO,EAAE,IAAI;IACb,MAAM,EAAE;QACN;YACE,KAAK,EAAE,CAAC;YACR,YAAY,EAAE,CAAC,EAAE,uCAAuC;YACxD,OAAO,EAAE,CAAC,eAAe,EAAE,qBAAqB,CAAC;YACjD,QAAQ,EAAE,CAAC,mBAAmB,CAAC,SAAS,EAAE,mBAAmB,CAAC,KAAK,EAAE,mBAAmB,CAAC,GAAG,CAAC;YAC7F,OAAO,EAAE,4FAA4F;SACtG;QACD;YACE,KAAK,EAAE,CAAC;YACR,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,eAAe,CAAC;YACzC,QAAQ,EAAE,CAAC,mBAAmB,CAAC,SAAS,EAAE,mBAAmB,CAAC,KAAK,EAAE,mBAAmB,CAAC,GAAG,CAAC;YAC7F,OAAO,EAAE,gFAAgF;SAC1F;QACD;YACE,KAAK,EAAE,CAAC;YACR,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,eAAe,CAAC;YACxC,QAAQ,EAAE,CAAC,mBAAmB,CAAC,SAAS,EAAE,mBAAmB,CAAC,KAAK,EAAE,mBAAmB,CAAC,GAAG,CAAC;YAC7F,OAAO,EAAE,oFAAoF;SAC9F;KACF;IACD,QAAQ,EAAE,CAAC;IACX,kBAAkB,EAAE,IAAI;CACzB,CAAC;AAEF,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E,MAAM,CAAC,MAAM,kBAAkB,GAAkB;IAC/C,EAAE,EAAE,wBAAwB;IAC5B,IAAI,EAAE,8BAA8B;IACpC,WAAW,EAAE;;;;;;;GAOZ,CAAC,IAAI,EAAE;IACR,OAAO,EAAE,OAAO;IAChB,iBAAiB;IACjB,KAAK,EAAE,eAAe;IACtB,aAAa;IACb,UAAU;IACV,OAAO,EAAE,IAAI;IACb,IAAI,EAAE,CAAC,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,iBAAiB,CAAC;IACnF,SAAS,EAAE,IAAI,IAAI,CAAC,YAAY,CAAC;IACjC,SAAS,EAAE,IAAI,IAAI,CAAC,YAAY,CAAC;CAClC,CAAC;AAEF,eAAe,kBAAkB,CAAC"}

package/dist/security/incident/playbooks/unauthorized-access.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Unauthorized Access Response Playbook
+ *
+ * Comprehensive playbook for responding to unauthorized access incidents.
+ * Covers detection, containment, investigation, remediation, and recovery.
+ *
+ * This playbook uses automated actions from the actions module that
+ * provide real implementations with rollback capabilities.
+ */
+import { PlaybookInput } from '../types.js';
+export declare const unauthorizedAccessPlaybook: PlaybookInput;
+export default unauthorizedAccessPlaybook;
+//# sourceMappingURL=unauthorized-access.d.ts.map

package/dist/security/incident/playbooks/unauthorized-access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unauthorized-access.d.ts","sourceRoot":"","sources":["../../../../src/security/incident/playbooks/unauthorized-access.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EACL,aAAa,EASd,MAAM,aAAa,CAAC;AA8YrB,eAAO,MAAM,0BAA0B,EAAE,aAiBxC,CAAC;AAEF,eAAe,0BAA0B,CAAC"}

package/dist/security/incident/playbooks/unauthorized-access.js

@@ -0,0 +1,412 @@
+/**
+ * Unauthorized Access Response Playbook
+ *
+ * Comprehensive playbook for responding to unauthorized access incidents.
+ * Covers detection, containment, investigation, remediation, and recovery.
+ *
+ * This playbook uses automated actions from the actions module that
+ * provide real implementations with rollback capabilities.
+ */
+import { createLogger } from '../../../common/logger.js';
+import { IncidentType, IncidentSeverity, NotificationChannel, StepType, } from '../types.js';
+const logger = createLogger({ component: 'incident-response' });
+// ============================================================================
+// Playbook Definition
+// ============================================================================
+/**
+ * Unauthorized access response steps using automated actions
+ *
+ * Steps are designed to:
+ * - Execute automated containment actions immediately
+ * - Collect evidence for forensics
+ * - Pause for manual investigation and approval where needed
+ * - Support parallel execution where dependencies allow
+ * - Provide rollback capability for automated steps
+ */
+const unauthorizedAccessSteps = [
+    // Phase 1: Detection and Verification
+    {
+        id: 'ua-step-1',
+        name: 'Verify Unauthorized Access Indicators',
+        type: StepType.MANUAL,
+        description: `
+      Verify the unauthorized access alert is legitimate:
+      1. Review authentication logs and access patterns
+      2. Confirm the access is unauthorized (not a false positive)
+      3. Identify the compromised account(s) or entry point
+      4. Determine if access is ongoing or historical
+      5. Document initial findings and timeline
+
+      Mark this step complete once verification is done.
+    `,
+        requiresApproval: false,
+        onFailure: 'halt',
+    },
+    // Phase 2: Immediate Containment (Automated)
+    {
+        id: 'ua-step-2',
+        name: 'Block Unauthorized IP Addresses',
+        type: StepType.AUTOMATED,
+        description: 'Automatically block identified unauthorized IP addresses at firewall, WAF, and CDN levels to prevent further access.',
+        actionId: 'block-ip',
+        timeout: 60000, // 1 minute
+        requiresApproval: false, // Critical action - execute immediately
+        onFailure: 'retry',
+        retryAttempts: 3,
+        dependencies: ['ua-step-1'],
+        metadata: {
+            rollbackOnFailure: true,
+            notifyOnComplete: true,
+        },
+    },
+    {
+        id: 'ua-step-3',
+        name: 'Revoke Compromised Credentials',
+        type: StepType.AUTOMATED,
+        description: 'Revoke all potentially compromised credentials including passwords, API keys, tokens, and terminate active sessions for affected accounts.',
+        actionId: 'revoke-credentials',
+        timeout: 180000, // 3 minutes
+        requiresApproval: false, // Critical action - execute immediately after IP block
+        onFailure: 'retry',
+        retryAttempts: 3,
+        dependencies: ['ua-step-1'],
+    },
+    {
+        id: 'ua-step-4',
+        name: 'Enable Enhanced Monitoring',
+        type: StepType.AUTOMATED,
+        description: 'Activate enhanced security monitoring including increased logging, additional alerts, detection rules, and honeypots to detect further unauthorized access attempts.',
+        actionId: 'scale-monitoring',
+        timeout: 180000, // 3 minutes
+        requiresApproval: false,
+        onFailure: 'continue', // Non-critical - continue if fails
+        dependencies: ['ua-step-1'],
+    },
+    // Phase 3: Scope Assessment (Manual)
+    {
+        id: 'ua-step-5',
+        name: 'Assess Access Scope',
+        type: StepType.MANUAL,
+        description: `
+      Determine the full scope of unauthorized access:
+      1. Identify all systems and resources accessed
+      2. Review data that was viewed, downloaded, or modified
+      3. Check for lateral movement to other systems
+      4. Identify any data exfiltration attempts
+      5. Determine the time window of unauthorized access
+      6. Document all affected resources
+
+      This information is critical for remediation and potential regulatory reporting.
+    `,
+        requiresApproval: false,
+        onFailure: 'halt',
+        dependencies: ['ua-step-2', 'ua-step-3'],
+    },
+    // Phase 4: Evidence Collection (Automated)
+    {
+        id: 'ua-step-6',
+        name: 'Collect Forensic Evidence',
+        type: StepType.AUTOMATED,
+        description: 'Automatically collect and preserve forensic evidence including authentication logs, access logs, audit trails, session data, and system state.',
+        actionId: 'collect-evidence',
+        timeout: 600000, // 10 minutes
+        requiresApproval: false,
+        onFailure: 'halt', // Critical for investigation
+        dependencies: ['ua-step-1'],
+    },
+    // Phase 5: Notification (Automated)
+    {
+        id: 'ua-step-7',
+        name: 'Notify Stakeholders',
+        type: StepType.AUTOMATED,
+        description: 'Send automated notifications to relevant stakeholders based on incident severity.',
+        actionId: 'notify-stakeholders',
+        timeout: 120000, // 2 minutes
+        requiresApproval: false,
+        onFailure: 'continue',
+        retryAttempts: 3,
+        dependencies: ['ua-step-1'],
+    },
+    // Phase 6: Investigation (Manual)
+    {
+        id: 'ua-step-8',
+        name: 'Determine Access Method',
+        type: StepType.MANUAL,
+        description: `
+      Investigate how unauthorized access was gained:
+      1. Analyze authentication methods used
+      2. Check for credential theft (phishing, keylogger, etc.)
+      3. Look for vulnerability exploitation
+      4. Review for brute force or password spray attacks
+      5. Check for session hijacking or token theft
+      6. Identify if insider threat is involved
+      7. Create detailed attack timeline
+
+      Use the collected evidence from Step 6 for analysis.
+    `,
+        requiresApproval: false,
+        onFailure: 'halt',
+        dependencies: ['ua-step-5', 'ua-step-6'],
+    },
+    {
+        id: 'ua-step-9',
+        name: 'Identify Vulnerabilities Exploited',
+        type: StepType.MANUAL,
+        description: `
+      Identify any vulnerabilities that enabled the unauthorized access:
+      1. Review system configurations for weaknesses
+      2. Check for missing patches or updates
+      3. Analyze authentication mechanisms
+      4. Review access control policies
+      5. Identify any misconfigurations
+      6. Document all findings for remediation
+
+      Findings should be added to incident evidence.
+    `,
+        requiresApproval: false,
+        onFailure: 'continue',
+        dependencies: ['ua-step-8'],
+    },
+    // Phase 7: Remediation (Manual with Approvals)
+    {
+        id: 'ua-step-10',
+        name: 'Patch Vulnerabilities',
+        type: StepType.MANUAL,
+        description: `
+      Implement remediation for identified vulnerabilities:
+      1. Apply security patches to affected systems
+      2. Update vulnerable software components
+      3. Fix identified misconfigurations
+      4. Close unauthorized access vectors
+      5. Document all changes made
+
+      Requires security lead approval before proceeding.
+    `,
+        requiresApproval: true,
+        approvers: ['security-lead'],
+        onFailure: 'halt',
+        dependencies: ['ua-step-9'],
+    },
+    {
+        id: 'ua-step-11',
+        name: 'Strengthen Access Controls',
+        type: StepType.MANUAL,
+        description: `
+      Implement stronger access controls:
+      1. Review and update access policies
+      2. Implement or strengthen MFA requirements
+      3. Review and restrict user permissions
+      4. Update firewall and network segmentation rules
+      5. Implement additional monitoring controls
+      6. Update password policies if applicable
+
+      Requires security lead approval before proceeding.
+    `,
+        requiresApproval: true,
+        approvers: ['security-lead'],
+        onFailure: 'halt',
+        dependencies: ['ua-step-9'],
+    },
+    {
+        id: 'ua-step-12',
+        name: 'Verification Testing',
+        type: StepType.MANUAL,
+        description: `
+      Verify remediation effectiveness:
+      1. Conduct vulnerability scanning
+      2. Perform penetration testing on affected areas
+      3. Verify patches are applied correctly
+      4. Test access controls are working
+      5. Confirm monitoring is capturing events
+      6. Document test results
+    `,
+        requiresApproval: false,
+        onFailure: 'halt',
+        dependencies: ['ua-step-10', 'ua-step-11'],
+    },
+    // Phase 8: Recovery (Manual with Approval)
+    {
+        id: 'ua-step-13',
+        name: 'Restore Modified Data',
+        type: StepType.MANUAL,
+        description: `
+      Restore any data modified by unauthorized access:
+      1. Identify data that was modified or corrupted
+      2. Restore from known good backups
+      3. Verify data integrity after restoration
+      4. Document all restoration activities
+      5. Confirm business operations are not impacted
+
+      This step requires approval from data owners and operations lead.
+    `,
+        requiresApproval: true,
+        approvers: ['data-owner', 'operations-lead'],
+        onFailure: 'halt',
+        dependencies: ['ua-step-5', 'ua-step-12'],
+    },
+    {
+        id: 'ua-step-14',
+        name: 'Issue New Credentials',
+        type: StepType.MANUAL,
+        description: `
+      Issue new credentials to affected users:
+      1. Generate new passwords for affected accounts
+      2. Rotate API keys and tokens
+      3. Issue new certificates if applicable
+      4. Communicate securely with affected users
+      5. Verify users can access with new credentials
+      6. Monitor for any access issues
+
+      This step requires incident commander approval.
+    `,
+        requiresApproval: true,
+        approvers: ['incident-commander'],
+        onFailure: 'halt',
+        dependencies: ['ua-step-12'],
+    },
+    // Phase 9: Post-Incident (Manual)
+    {
+        id: 'ua-step-15',
+        name: 'Improve Detection Capabilities',
+        type: StepType.MANUAL,
+        description: `
+      Enhance detection to prevent future incidents:
+      1. Create new detection rules based on attack patterns
+      2. Update SIEM correlation rules
+      3. Implement additional logging where needed
+      4. Set up alerts for similar access patterns
+      5. Consider deploying additional security tools
+      6. Document new detection capabilities
+    `,
+        requiresApproval: false,
+        onFailure: 'continue',
+        dependencies: ['ua-step-8'],
+    },
+    {
+        id: 'ua-step-16',
+        name: 'Update Access Policies',
+        type: StepType.MANUAL,
+        description: `
+      Update access policies based on lessons learned:
+      1. Review and update access control policies
+      2. Update authentication requirements
+      3. Revise network access policies
+      4. Update vendor/third-party access procedures
+      5. Document policy changes
+      6. Communicate changes to relevant teams
+
+      Requires security lead and compliance approval.
+    `,
+        requiresApproval: true,
+        approvers: ['security-lead', 'compliance'],
+        onFailure: 'continue',
+        dependencies: ['ua-step-8'],
+    },
+    {
+        id: 'ua-step-17',
+        name: 'Post-Incident Review',
+        type: StepType.MANUAL,
+        description: `
+      Conduct post-incident review:
+      1. Schedule post-mortem meeting
+      2. Document lessons learned
+      3. Identify process improvements
+      4. Update playbooks and procedures
+      5. Create final incident report
+      6. Share findings with relevant teams
+    `,
+        requiresApproval: false,
+        onFailure: 'continue',
+        dependencies: ['ua-step-13', 'ua-step-14', 'ua-step-15', 'ua-step-16'],
+    },
+];
+const triggerConditions = [
+    {
+        field: 'type',
+        operator: 'equals',
+        value: IncidentType.UNAUTHORIZED_ACCESS,
+    },
+];
+const notifications = [
+    {
+        channel: NotificationChannel.SLACK,
+        target: '#security-incidents',
+        enabled: true,
+        retryAttempts: 3,
+        retryDelayMs: 5000,
+    },
+    {
+        channel: NotificationChannel.PAGERDUTY,
+        target: 'security-team',
+        severityFilter: [IncidentSeverity.P1, IncidentSeverity.P2],
+        enabled: true,
+        retryAttempts: 3,
+        retryDelayMs: 5000,
+    },
+    {
+        channel: NotificationChannel.EMAIL,
+        target: 'security@company.com',
+        enabled: true,
+        retryAttempts: 3,
+        retryDelayMs: 5000,
+    },
+    {
+        channel: NotificationChannel.EMAIL,
+        target: 'it-operations@company.com',
+        severityFilter: [IncidentSeverity.P1, IncidentSeverity.P2],
+        enabled: true,
+        retryAttempts: 3,
+        retryDelayMs: 5000,
+    },
+];
+const escalation = {
+    enabled: true,
+    levels: [
+        {
+            level: 1,
+            afterMinutes: 10,
+            targets: ['security-team'],
+            channels: [NotificationChannel.SLACK, NotificationChannel.PAGERDUTY],
+            message: 'Unauthorized access incident not acknowledged within 10 minutes',
+        },
+        {
+            level: 2,
+            afterMinutes: 25,
+            targets: ['security-lead', 'incident-commander'],
+            channels: [NotificationChannel.SLACK, NotificationChannel.PAGERDUTY, NotificationChannel.EMAIL],
+            message: 'Unauthorized access incident requires immediate attention - escalating to leadership',
+        },
+        {
+            level: 3,
+            afterMinutes: 45,
+            targets: ['ciso', 'cto'],
+            channels: [NotificationChannel.PAGERDUTY, NotificationChannel.EMAIL, NotificationChannel.SMS],
+            message: 'Critical unauthorized access - executive escalation',
+        },
+    ],
+    maxLevel: 3,
+    resetOnAcknowledge: true,
+};
+// ============================================================================
+// Export Playbook
+// ============================================================================
+export const unauthorizedAccessPlaybook = {
+    id: 'playbook-unauthorized-access-v1',
+    name: 'Unauthorized Access Response',
+    description: `
+    Comprehensive playbook for responding to unauthorized access incidents.
+    Covers detection, containment, scope assessment, evidence collection,
+    investigation, remediation, recovery, and post-incident activities.
+  `.trim(),
+    version: '1.0.0',
+    triggerConditions,
+    steps: unauthorizedAccessSteps,
+    notifications,
+    escalation,
+    enabled: true,
+    tags: ['unauthorized-access', 'intrusion', 'access-control', 'security'],
+    createdAt: new Date('2024-01-01'),
+    updatedAt: new Date('2024-01-15'),
+};
+export default unauthorizedAccessPlaybook;
+//# sourceMappingURL=unauthorized-access.js.map

package/dist/security/incident/playbooks/unauthorized-access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unauthorized-access.js","sourceRoot":"","sources":["../../../../src/security/incident/playbooks/unauthorized-access.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACzD,OAAO,EAML,YAAY,EACZ,gBAAgB,EAChB,mBAAmB,EACnB,QAAQ,GACT,MAAM,aAAa,CAAC;AAErB,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,mBAAmB,EAAE,CAAC,CAAC;AAEhE,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;;;;;;;;GASG;AACH,MAAM,uBAAuB,GAAwB;IACnD,sCAAsC;IACtC;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,uCAAuC;QAC7C,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;KASZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM;KAClB;IAED,6CAA6C;IAC7C;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,iCAAiC;QACvC,IAAI,EAAE,QAAQ,CAAC,SAAS;QACxB,WAAW,EAAE,sHAAsH;QACnI,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,KAAK,EAAE,WAAW;QAC3B,gBAAgB,EAAE,KAAK,EAAE,wCAAwC;QACjE,SAAS,EAAE,OAAO;QAClB,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,CAAC,WAAW,CAAC;QAC3B,QAAQ,EAAE;YACR,iBAAiB,EAAE,IAAI;YACvB,gBAAgB,EAAE,IAAI;SACvB;KACF;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gCAAgC;QACtC,IAAI,EAAE,QAAQ,CAAC,SAAS;QACxB,WAAW,EAAE,4IAA4I;QACzJ,QAAQ,EAAE,oBAAoB;QAC9B,OAAO,EAAE,MAAM,EAAE,YAAY;QAC7B,gBAAgB,EAAE,KAAK,EAAE,uDAAuD;QAChF,SAAS,EAAE,OAAO;QAClB,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,4BAA4B;QAClC,IAAI,EAAE,QAAQ,CAAC,SAAS;QACxB,WAAW,EAAE,sKAAsK;QACnL,QAAQ,EAAE,kBAAkB;QAC5B,OAAO,EAAE,MAAM,EAAE,YAAY;QAC7B,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU,EAAE,mCAAmC;QAC1D,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IAED,qCAAqC;IACrC;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,qBAAqB;QAC3B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;KAUZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,WAAW,EAAE,WAAW,CAAC;KACzC;IAED,2CAA2C;IAC3C;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,2BAA2B;QACjC,IAAI,EAAE,QAAQ,CAAC,SAAS;QACxB,WAAW,EAAE,gJAAgJ;QAC7J,QAAQ,EAAE,kBAAkB;QAC5B,OAAO,EAAE,MAAM,EAAE,aAAa;QAC9B,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM,EAAE,6BAA6B;QAChD,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IAED,oCAAoC;IACpC;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,qBAAqB;QAC3B,IAAI,EAAE,QAAQ,CAAC,SAAS;QACxB,WAAW,EAAE,mFAAmF;QAChG,QAAQ,EAAE,qBAAqB;QAC/B,OAAO,EAAE,MAAM,EAAE,YAAY;QAC7B,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU;QACrB,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IAED,kCAAkC;IAClC;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,yBAAyB;QAC/B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;;KAWZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,WAAW,EAAE,WAAW,CAAC;KACzC;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,oCAAoC;QAC1C,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;KAUZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IAED,+CAA+C;IAC/C;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,uBAAuB;QAC7B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;KASZ;QACD,gBAAgB,EAAE,IAAI;QACtB,SAAS,EAAE,CAAC,eAAe,CAAC;QAC5B,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,4BAA4B;QAClC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;KAUZ;QACD,gBAAgB,EAAE,IAAI;QACtB,SAAS,EAAE,CAAC,eAAe,CAAC;QAC5B,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,sBAAsB;QAC5B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;KAQZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KAC3C;IAED,2CAA2C;IAC3C;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,uBAAuB;QAC7B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;KASZ;QACD,gBAAgB,EAAE,IAAI;QACtB,SAAS,EAAE,CAAC,YAAY,EAAE,iBAAiB,CAAC;QAC5C,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;KAC1C;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,uBAAuB;QAC7B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;KAUZ;QACD,gBAAgB,EAAE,IAAI;QACtB,SAAS,EAAE,CAAC,oBAAoB,CAAC;QACjC,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,CAAC,YAAY,CAAC;KAC7B;IAED,kCAAkC;IAClC;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,gCAAgC;QACtC,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;KAQZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,wBAAwB;QAC9B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;;;KAUZ;QACD,gBAAgB,EAAE,IAAI;QACtB,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,CAAC;QAC1C,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,WAAW,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,sBAAsB;QAC5B,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,WAAW,EAAE;;;;;;;;KAQZ;QACD,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,CAAC;KACvE;CACF,CAAC;AAEF,MAAM,iBAAiB,GAAuB;IAC5C;QACE,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,YAAY,CAAC,mBAAmB;KACxC;CACF,CAAC;AAEF,MAAM,aAAa,GAAyB;IAC1C;QACE,OAAO,EAAE,mBAAmB,CAAC,KAAK;QAClC,MAAM,EAAE,qBAAqB;QAC7B,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;IACD;QACE,OAAO,EAAE,mBAAmB,CAAC,SAAS;QACtC,MAAM,EAAE,eAAe;QACvB,cAAc,EAAE,CAAC,gBAAgB,CAAC,EAAE,EAAE,gBAAgB,CAAC,EAAE,CAAC;QAC1D,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;IACD;QACE,OAAO,EAAE,mBAAmB,CAAC,KAAK;QAClC,MAAM,EAAE,sBAAsB;QAC9B,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;IACD;QACE,OAAO,EAAE,mBAAmB,CAAC,KAAK;QAClC,MAAM,EAAE,2BAA2B;QACnC,cAAc,EAAE,CAAC,gBAAgB,CAAC,EAAE,EAAE,gBAAgB,CAAC,EAAE,CAAC;QAC1D,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,IAAI;KACnB;CACF,CAAC;AAEF,MAAM,UAAU,GAAqB;IACnC,OAAO,EAAE,IAAI;IACb,MAAM,EAAE;QACN;YACE,KAAK,EAAE,CAAC;YACR,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE,CAAC,eAAe,CAAC;YAC1B,QAAQ,EAAE,CAAC,mBAAmB,CAAC,KAAK,EAAE,mBAAmB,CAAC,SAAS,CAAC;YACpE,OAAO,EAAE,iEAAiE;SAC3E;QACD;YACE,KAAK,EAAE,CAAC;YACR,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE,CAAC,eAAe,EAAE,oBAAoB,CAAC;YAChD,QAAQ,EAAE,CAAC,mBAAmB,CAAC,KAAK,EAAE,mBAAmB,CAAC,SAAS,EAAE,mBAAmB,CAAC,KAAK,CAAC;YAC/F,OAAO,EAAE,sFAAsF;SAChG;QACD;YACE,KAAK,EAAE,CAAC;YACR,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE,CAAC,MAAM,EAAE,KAAK,CAAC;YACxB,QAAQ,EAAE,CAAC,mBAAmB,CAAC,SAAS,EAAE,mBAAmB,CAAC,KAAK,EAAE,mBAAmB,CAAC,GAAG,CAAC;YAC7F,OAAO,EAAE,qDAAqD;SAC/D;KACF;IACD,QAAQ,EAAE,CAAC;IACX,kBAAkB,EAAE,IAAI;CACzB,CAAC;AAEF,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E,MAAM,CAAC,MAAM,0BAA0B,GAAkB;IACvD,EAAE,EAAE,iCAAiC;IACrC,IAAI,EAAE,8BAA8B;IACpC,WAAW,EAAE;;;;GAIZ,CAAC,IAAI,EAAE;IACR,OAAO,EAAE,OAAO;IAChB,iBAAiB;IACjB,KAAK,EAAE,uBAAuB;IAC9B,aAAa;IACb,UAAU;IACV,OAAO,EAAE,IAAI;IACb,IAAI,EAAE,CAAC,qBAAqB,EAAE,WAAW,EAAE,gBAAgB,EAAE,UAAU,CAAC;IACxE,SAAS,EAAE,IAAI,IAAI,CAAC,YAAY,CAAC;IACjC,SAAS,EAAE,IAAI,IAAI,CAAC,YAAY,CAAC;CAClC,CAAC;AAEF,eAAe,0BAA0B,CAAC"}

package/dist/security/incident/triggers.d.ts

@@ -0,0 +1,120 @@
+/**
+ * Incident Triggers - Automatic Incident Creation from Alerts
+ *
+ * Maps alerts from various sources to incidents with appropriate severity,
+ * type, and playbook selection.
+ *
+ * @packageDocumentation
+ * @module security/incident/triggers
+ */
+import { EventEmitter } from 'events';
+import { Alert, AlertRule, IncidentType, IncidentSeverity, CreateIncidentInput, Playbook } from './types.js';
+import type { AnomalyAlert } from '../anomaly/types.js';
+export interface IncidentTriggerConfig {
+    /** Whether automatic triggering is enabled */
+    enabled: boolean;
+    /** Default cooldown between similar incidents (seconds) */
+    defaultCooldownSeconds: number;
+    /** Whether to deduplicate alerts */
+    deduplication: {
+        enabled: boolean;
+        windowMinutes: number;
+        hashFields: string[];
+    };
+    /** Whether to auto-merge related incidents */
+    autoMerge: {
+        enabled: boolean;
+        windowMinutes: number;
+    };
+    /** Severity escalation rules */
+    severityEscalation: {
+        enabled: boolean;
+        /** Number of similar alerts before escalation */
+        alertCountThreshold: number;
+        /** Time window for alert counting (minutes) */
+        windowMinutes: number;
+    };
+}
+export interface TriggerEvents {
+    'alert:received': (alert: Alert) => void;
+    'alert:matched': (alert: Alert, rule: AlertRule) => void;
+    'alert:deduplicated': (alert: Alert, existingIncidentId: string) => void;
+    'incident:created': (incidentInput: CreateIncidentInput, rule: AlertRule) => void;
+    'incident:merged': (alertId: string, incidentId: string) => void;
+}
+export declare class IncidentTrigger extends EventEmitter {
+    private readonly config;
+    private readonly rules;
+    private readonly playbooks;
+    private readonly recentAlerts;
+    private readonly alertCounts;
+    private incidentCreator?;
+    private cleanupInterval?;
+    constructor(config?: Partial<IncidentTriggerConfig>);
+    /**
+     * Register the incident creator function
+     */
+    registerIncidentCreator(creator: (input: CreateIncidentInput) => Promise<{
+        id: string;
+    }>): void;
+    /**
+     * Register playbooks for auto-selection
+     */
+    registerPlaybooks(playbooks: Playbook[]): void;
+    /**
+     * Add or update an alert rule
+     */
+    addRule(rule: AlertRule): void;
+    /**
+     * Remove an alert rule
+     */
+    removeRule(ruleId: string): boolean;
+    /**
+     * Get all rules
+     */
+    getRules(): AlertRule[];
+    /**
+     * Process an alert and potentially create an incident
+     */
+    processAlert(alert: Alert): Promise<{
+        incidentCreated: boolean;
+        incidentId?: string;
+        reason?: string;
+    }>;
+    /**
+     * Process an anomaly alert from the anomaly detection system
+     */
+    processAnomalyAlert(anomalyAlert: AnomalyAlert): Promise<{
+        incidentCreated: boolean;
+        incidentId?: string;
+        reason?: string;
+    }>;
+    /**
+     * Map from alert severity to incident severity
+     */
+    mapAlertSeverityToIncident(alertSeverity: Alert['severity']): IncidentSeverity;
+    /**
+     * Map from anomaly severity to alert severity
+     */
+    private mapAnomalySeverity;
+    /**
+     * Select appropriate playbook for incident type
+     */
+    selectPlaybook(incidentType: IncidentType, severity: IncidentSeverity): Playbook | undefined;
+    /**
+     * Clean up resources
+     */
+    destroy(): void;
+    private findMatchingRule;
+    private evaluateConditions;
+    private evaluateCondition;
+    private getFieldValue;
+    private checkDeduplication;
+    private calculateAlertHash;
+    private checkSeverityEscalation;
+    private buildIncidentInput;
+    private applyTemplate;
+    private startCleanupInterval;
+}
+export declare function createIncidentTrigger(config?: Partial<IncidentTriggerConfig>): IncidentTrigger;
+//# sourceMappingURL=triggers.d.ts.map

package/dist/security/incident/triggers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"triggers.d.ts","sourceRoot":"","sources":["../../../src/security/incident/triggers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAGtC,OAAO,EACL,KAAK,EACL,SAAS,EAET,YAAY,EACZ,gBAAgB,EAEhB,mBAAmB,EACnB,QAAQ,EACT,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,qBAAqB,CAAC;AAQlF,MAAM,WAAW,qBAAqB;IACpC,8CAA8C;IAC9C,OAAO,EAAE,OAAO,CAAC;IACjB,2DAA2D;IAC3D,sBAAsB,EAAE,MAAM,CAAC;IAC/B,oCAAoC;IACpC,aAAa,EAAE;QACb,OAAO,EAAE,OAAO,CAAC;QACjB,aAAa,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,MAAM,EAAE,CAAC;KACtB,CAAC;IACF,8CAA8C;IAC9C,SAAS,EAAE;QACT,OAAO,EAAE,OAAO,CAAC;QACjB,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,gCAAgC;IAChC,kBAAkB,EAAE;QAClB,OAAO,EAAE,OAAO,CAAC;QACjB,iDAAiD;QACjD,mBAAmB,EAAE,MAAM,CAAC;QAC5B,+CAA+C;QAC/C,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC;CACH;AA4OD,MAAM,WAAW,aAAa;IAC5B,gBAAgB,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACzC,eAAe,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,KAAK,IAAI,CAAC;IACzD,oBAAoB,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,KAAK,IAAI,CAAC;IACzE,kBAAkB,EAAE,CAAC,aAAa,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,KAAK,IAAI,CAAC;IAClF,iBAAiB,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,IAAI,CAAC;CAClE;AAMD,qBAAa,eAAgB,SAAQ,YAAY;IAC/C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAC/C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAqC;IAC3D,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAoC;IAC9D,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoE;IACjG,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA8D;IAC1F,OAAO,CAAC,eAAe,CAAC,CAA0D;IAClF,OAAO,CAAC,eAAe,CAAC,CAAiB;gBAE7B,MAAM,GAAE,OAAO,CAAC,qBAAqB,CAAM;IAmBvD;;OAEG;IACH,uBAAuB,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,mBAAmB,KAAK,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,IAAI;IAI/F;;OAEG;IACH,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,GAAG,IAAI;IAO9C;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAK9B;;OAEG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAQnC;;OAEG;IACH,QAAQ,IAAI,SAAS,EAAE;IAIvB;;OAEG;IACG,YAAY,CAAC,KAAK,EAAE,KAAK,GAAG,OAAO,CAAC;QAAE,eAAe,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAoH7G;;OAEG;IACG,mBAAmB,CAAC,YAAY,EAAE,YAAY,GAAG,OAAO,CAAC;QAAE,eAAe,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAgClI;;OAEG;IACH,0BAA0B,CAAC,aAAa,EAAE,KAAK,CAAC,UAAU,CAAC,GAAG,gBAAgB;IAU9E;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAU1B;;OAEG;IACH,cAAc,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,gBAAgB,GAAG,QAAQ,GAAG,SAAS;IA6B5F;;OAEG;IACH,OAAO,IAAI,IAAI;IAaf,OAAO,CAAC,gBAAgB;IAexB,OAAO,CAAC,kBAAkB;IAgB1B,OAAO,CAAC,iBAAiB;IAmCzB,OAAO,CAAC,aAAa;IAYrB,OAAO,CAAC,kBAAkB;IAgB1B,OAAO,CAAC,kBAAkB;IAW1B,OAAO,CAAC,uBAAuB;IA8C/B,OAAO,CAAC,kBAAkB;IAuD1B,OAAO,CAAC,aAAa;IAwBrB,OAAO,CAAC,oBAAoB;CAwB7B;AAMD,wBAAgB,qBAAqB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,qBAAqB,CAAC,GAAG,eAAe,CAE9F"}