security-detections-mcp 1.0.0 → 1.2.0

package/dist/db.js

@@ -1,7 +1,7 @@
 import Database from 'better-sqlite3';
 import { homedir } from 'os';
 import { join } from 'path';
-import { mkdirSync, existsSync } from 'fs';
+import { mkdirSync, existsSync, unlinkSync } from 'fs';
 const CACHE_DIR = join(homedir(), '.cache', 'security-detections-mcp');
 const DB_PATH = join(CACHE_DIR, 'detections.sqlite');
 let db = null;
@@ -16,7 +16,7 @@ export function initDb() {
         mkdirSync(CACHE_DIR, { recursive: true });
     }
     db = new Database(DB_PATH);
-    // Create main detections table
+    // Create main detections table with all enhanced fields
     db.exec(`
     CREATE TABLE IF NOT EXISTS detections (
       id TEXT PRIMARY KEY,
@@ -37,10 +37,24 @@ export function initDb() {
       falsepositives TEXT,
       tags TEXT,
       file_path TEXT,
-      raw_yaml TEXT
+      raw_yaml TEXT,
+      cves TEXT,
+      analytic_stories TEXT,
+      data_sources TEXT,
+      detection_type TEXT,
+      asset_type TEXT,
+      security_domain TEXT,
+      process_names TEXT,
+      file_paths TEXT,
+      registry_paths TEXT,
+      mitre_tactics TEXT,
+      platforms TEXT,
+      kql_category TEXT,
+      kql_tags TEXT,
+      kql_keywords TEXT
     )
   `);
-    // Create FTS5 virtual table for full-text search
+    // Create FTS5 virtual table for full-text search with all searchable fields
     db.exec(`
     CREATE VIRTUAL TABLE IF NOT EXISTS detections_fts USING fts5(
       id,
@@ -49,6 +63,17 @@ export function initDb() {
       query,
       mitre_ids,
       tags,
+      cves,
+      analytic_stories,
+      data_sources,
+      process_names,
+      file_paths,
+      registry_paths,
+      mitre_tactics,
+      platforms,
+      kql_category,
+      kql_tags,
+      kql_keywords,
       content='detections',
       content_rowid='rowid'
     )
@@ -56,22 +81,22 @@ export function initDb() {
     // Create triggers to keep FTS in sync
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_ai AFTER INSERT ON detections BEGIN
-      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags)
-      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags);
+      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
+      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords);
     END
   `);
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_ad AFTER DELETE ON detections BEGIN
-      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags)
-      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags);
+      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
+      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords);
     END
   `);
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_au AFTER UPDATE ON detections BEGIN
-      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags)
-      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags);
-      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags)
-      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags);
+      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
+      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords);
+      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
+      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords);
     END
   `);
     // Create indexes for common queries
@@ -79,22 +104,82 @@ export function initDb() {
     db.exec(`CREATE INDEX IF NOT EXISTS idx_severity ON detections(severity)`);
     db.exec(`CREATE INDEX IF NOT EXISTS idx_logsource_product ON detections(logsource_product)`);
     db.exec(`CREATE INDEX IF NOT EXISTS idx_logsource_category ON detections(logsource_category)`);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_detection_type ON detections(detection_type)`);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_asset_type ON detections(asset_type)`);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_security_domain ON detections(security_domain)`);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_kql_category ON detections(kql_category)`);
+    // Create stories table (optional - provides rich context for analytic stories)
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS stories (
+      id TEXT PRIMARY KEY,
+      name TEXT NOT NULL,
+      description TEXT,
+      narrative TEXT,
+      author TEXT,
+      date TEXT,
+      version INTEGER,
+      status TEXT,
+      refs TEXT,
+      category TEXT,
+      usecase TEXT,
+      detection_names TEXT
+    )
+  `);
+    // Create FTS5 for stories (narrative is key for semantic search!)
+    db.exec(`
+    CREATE VIRTUAL TABLE IF NOT EXISTS stories_fts USING fts5(
+      id,
+      name,
+      description,
+      narrative,
+      category,
+      usecase,
+      content='stories',
+      content_rowid='rowid'
+    )
+  `);
+    // Triggers for stories FTS
+    db.exec(`
+    CREATE TRIGGER IF NOT EXISTS stories_ai AFTER INSERT ON stories BEGIN
+      INSERT INTO stories_fts(rowid, id, name, description, narrative, category, usecase)
+      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.narrative, NEW.category, NEW.usecase);
+    END
+  `);
+    db.exec(`
+    CREATE TRIGGER IF NOT EXISTS stories_ad AFTER DELETE ON stories BEGIN
+      INSERT INTO stories_fts(stories_fts, rowid, id, name, description, narrative, category, usecase)
+      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.narrative, OLD.category, OLD.usecase);
+    END
+  `);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_story_category ON stories(category)`);
     return db;
 }
 export function clearDb() {
     const database = initDb();
     database.exec('DELETE FROM detections');
 }
+// Force recreation of the database (needed when schema changes)
+export function recreateDb() {
+    if (db) {
+        db.close();
+        db = null;
+    }
+    if (existsSync(DB_PATH)) {
+        unlinkSync(DB_PATH);
+    }
+}
 export function insertDetection(detection) {
     const database = initDb();
     const stmt = database.prepare(`
     INSERT OR REPLACE INTO detections 
     (id, name, description, query, source_type, mitre_ids, logsource_category, 
      logsource_product, logsource_service, severity, status, author, 
-     date_created, date_modified, refs, falsepositives, tags, file_path, raw_yaml)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+     date_created, date_modified, refs, falsepositives, tags, file_path, raw_yaml,
+     cves, analytic_stories, data_sources, detection_type, asset_type, security_domain,
+     process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
   `);
-    stmt.run(detection.id, detection.name, detection.description, detection.query, detection.source_type, JSON.stringify(detection.mitre_ids), detection.logsource_category, detection.logsource_product, detection.logsource_service, detection.severity, detection.status, detection.author, detection.date_created, detection.date_modified, JSON.stringify(detection.references), JSON.stringify(detection.falsepositives), JSON.stringify(detection.tags), detection.file_path, detection.raw_yaml);
+    stmt.run(detection.id, detection.name, detection.description, detection.query, detection.source_type, JSON.stringify(detection.mitre_ids), detection.logsource_category, detection.logsource_product, detection.logsource_service, detection.severity, detection.status, detection.author, detection.date_created, detection.date_modified, JSON.stringify(detection.references), JSON.stringify(detection.falsepositives), JSON.stringify(detection.tags), detection.file_path, detection.raw_yaml, JSON.stringify(detection.cves), JSON.stringify(detection.analytic_stories), JSON.stringify(detection.data_sources), detection.detection_type, detection.asset_type, detection.security_domain, JSON.stringify(detection.process_names), JSON.stringify(detection.file_paths), JSON.stringify(detection.registry_paths), JSON.stringify(detection.mitre_tactics), JSON.stringify(detection.platforms), detection.kql_category, JSON.stringify(detection.kql_tags), JSON.stringify(detection.kql_keywords));
 }
 function rowToDetection(row) {
     return {
@@ -117,6 +202,20 @@ function rowToDetection(row) {
         tags: JSON.parse(row.tags || '[]'),
         file_path: row.file_path,
         raw_yaml: row.raw_yaml,
+        cves: JSON.parse(row.cves || '[]'),
+        analytic_stories: JSON.parse(row.analytic_stories || '[]'),
+        data_sources: JSON.parse(row.data_sources || '[]'),
+        detection_type: row.detection_type,
+        asset_type: row.asset_type,
+        security_domain: row.security_domain,
+        process_names: JSON.parse(row.process_names || '[]'),
+        file_paths: JSON.parse(row.file_paths || '[]'),
+        registry_paths: JSON.parse(row.registry_paths || '[]'),
+        mitre_tactics: JSON.parse(row.mitre_tactics || '[]'),
+        platforms: JSON.parse(row.platforms || '[]'),
+        kql_category: row.kql_category,
+        kql_tags: JSON.parse(row.kql_tags || '[]'),
+        kql_keywords: JSON.parse(row.kql_keywords || '[]'),
     };
 }
 export function searchDetections(query, limit = 50) {
@@ -190,11 +289,108 @@ export function listBySeverity(level, limit = 100, offset = 0) {
     const rows = stmt.all(level, limit, offset);
     return rows.map(rowToDetection);
 }
+// New query methods for enhanced fields
+export function listByCve(cveId, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    SELECT * FROM detections 
+    WHERE cves LIKE ? 
+    ORDER BY name 
+    LIMIT ? OFFSET ?
+  `);
+    const rows = stmt.all(`%"${cveId}"%`, limit, offset);
+    return rows.map(rowToDetection);
+}
+export function listByAnalyticStory(story, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    SELECT * FROM detections 
+    WHERE analytic_stories LIKE ? 
+    ORDER BY name 
+    LIMIT ? OFFSET ?
+  `);
+    const rows = stmt.all(`%${story}%`, limit, offset);
+    return rows.map(rowToDetection);
+}
+export function listByProcessName(processName, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    SELECT * FROM detections 
+    WHERE process_names LIKE ? 
+    ORDER BY name 
+    LIMIT ? OFFSET ?
+  `);
+    const rows = stmt.all(`%${processName}%`, limit, offset);
+    return rows.map(rowToDetection);
+}
+export function listByDetectionType(detectionType, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare('SELECT * FROM detections WHERE detection_type = ? ORDER BY name LIMIT ? OFFSET ?');
+    const rows = stmt.all(detectionType, limit, offset);
+    return rows.map(rowToDetection);
+}
+export function listByDataSource(dataSource, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    SELECT * FROM detections 
+    WHERE data_sources LIKE ? 
+    ORDER BY name 
+    LIMIT ? OFFSET ?
+  `);
+    const rows = stmt.all(`%${dataSource}%`, limit, offset);
+    return rows.map(rowToDetection);
+}
+export function listByKqlCategory(category, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    SELECT * FROM detections
+    WHERE source_type = 'kql' AND kql_category = ?
+    ORDER BY name
+    LIMIT ? OFFSET ?
+  `);
+    const rows = stmt.all(category, limit, offset);
+    return rows.map(rowToDetection);
+}
+export function listByKqlTag(tag, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    SELECT * FROM detections
+    WHERE source_type = 'kql' AND kql_tags LIKE ?
+    ORDER BY name
+    LIMIT ? OFFSET ?
+  `);
+    const rows = stmt.all(`%"${tag}"%`, limit, offset);
+    return rows.map(rowToDetection);
+}
+export function listByKqlDatasource(dataSource, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    SELECT * FROM detections
+    WHERE source_type = 'kql' AND data_sources LIKE ?
+    ORDER BY name
+    LIMIT ? OFFSET ?
+  `);
+    const rows = stmt.all(`%${dataSource}%`, limit, offset);
+    return rows.map(rowToDetection);
+}
+export function listByMitreTactic(tactic, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    SELECT * FROM detections 
+    WHERE mitre_tactics LIKE ? 
+    ORDER BY name 
+    LIMIT ? OFFSET ?
+  `);
+    const rows = stmt.all(`%"${tactic}"%`, limit, offset);
+    return rows.map(rowToDetection);
+}
 export function getStats() {
     const database = initDb();
     const total = database.prepare('SELECT COUNT(*) as count FROM detections').get().count;
     const sigma = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'sigma'").get().count;
     const splunk = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'splunk_escu'").get().count;
+    const elastic = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'elastic'").get().count;
+    const kql = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'kql'").get().count;
     // Count by severity
     const severityRows = database.prepare(`
     SELECT severity, COUNT(*) as count FROM detections 
@@ -222,13 +418,65 @@ export function getStats() {
     SELECT COUNT(*) as count FROM detections 
     WHERE mitre_ids != '[]' AND mitre_ids IS NOT NULL
   `).get().count;
+    // Count detections with CVE mappings
+    const cve_coverage = database.prepare(`
+    SELECT COUNT(*) as count FROM detections 
+    WHERE cves != '[]' AND cves IS NOT NULL
+  `).get().count;
+    // Count by MITRE tactic
+    const tacticRows = database.prepare(`
+    SELECT mitre_tactics FROM detections 
+    WHERE mitre_tactics != '[]' AND mitre_tactics IS NOT NULL
+  `).all();
+    const by_mitre_tactic = {};
+    for (const row of tacticRows) {
+        const tactics = JSON.parse(row.mitre_tactics);
+        for (const tactic of tactics) {
+            by_mitre_tactic[tactic] = (by_mitre_tactic[tactic] || 0) + 1;
+        }
+    }
+    // Count by detection type
+    const typeRows = database.prepare(`
+    SELECT detection_type, COUNT(*) as count FROM detections 
+    WHERE detection_type IS NOT NULL 
+    GROUP BY detection_type
+  `).all();
+    const by_detection_type = {};
+    for (const row of typeRows) {
+        by_detection_type[row.detection_type] = row.count;
+    }
+    // Count stories (optional table)
+    let stories_count = 0;
+    const by_story_category = {};
+    try {
+        stories_count = database.prepare('SELECT COUNT(*) as count FROM stories').get().count;
+        const categoryRows = database.prepare(`
+      SELECT category, COUNT(*) as count FROM stories 
+      WHERE category IS NOT NULL 
+      GROUP BY category
+    `).all();
+        for (const row of categoryRows) {
+            by_story_category[row.category] = row.count;
+        }
+    }
+    catch {
+        // Stories table might not exist or be empty - that's fine
+    }
     return {
         total,
         sigma,
         splunk_escu: splunk,
+        elastic,
+        kql,
         by_severity,
         by_logsource_product,
         mitre_coverage,
+        cve_coverage,
+        by_mitre_tactic,
+        by_detection_type,
+        stories_count,
+        by_story_category,
+        by_elastic_index: {}, // Could be populated if needed
     };
 }
 export function getRawYaml(id) {
@@ -246,3 +494,384 @@ export function getDetectionCount() {
     const database = initDb();
     return database.prepare('SELECT COUNT(*) as count FROM detections').get().count;
 }
+// Story-related functions
+export function insertStory(story) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    INSERT OR REPLACE INTO stories 
+    (id, name, description, narrative, author, date, version, status, refs, category, usecase, detection_names)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+    stmt.run(story.id, story.name, story.description, story.narrative, story.author, story.date, story.version, story.status, JSON.stringify(story.references), story.category, story.usecase, JSON.stringify(story.detection_names));
+}
+function rowToStory(row) {
+    return {
+        id: row.id,
+        name: row.name,
+        description: row.description || '',
+        narrative: row.narrative || '',
+        author: row.author,
+        date: row.date,
+        version: row.version,
+        status: row.status,
+        references: JSON.parse(row.refs || '[]'),
+        category: row.category,
+        usecase: row.usecase,
+        detection_names: JSON.parse(row.detection_names || '[]'),
+    };
+}
+export function getStoryByName(name) {
+    const database = initDb();
+    const stmt = database.prepare('SELECT * FROM stories WHERE name = ?');
+    const row = stmt.get(name);
+    return row ? rowToStory(row) : null;
+}
+export function getStoryById(id) {
+    const database = initDb();
+    const stmt = database.prepare('SELECT * FROM stories WHERE id = ?');
+    const row = stmt.get(id);
+    return row ? rowToStory(row) : null;
+}
+export function searchStories(query, limit = 20) {
+    const database = initDb();
+    try {
+        const stmt = database.prepare(`
+      SELECT s.* FROM stories s
+      JOIN stories_fts fts ON s.rowid = fts.rowid
+      WHERE stories_fts MATCH ?
+      ORDER BY rank
+      LIMIT ?
+    `);
+        const rows = stmt.all(query, limit);
+        return rows.map(rowToStory);
+    }
+    catch {
+        // If no stories indexed, return empty
+        return [];
+    }
+}
+export function listStories(limit = 100, offset = 0) {
+    const database = initDb();
+    try {
+        const stmt = database.prepare('SELECT * FROM stories ORDER BY name LIMIT ? OFFSET ?');
+        const rows = stmt.all(limit, offset);
+        return rows.map(rowToStory);
+    }
+    catch {
+        return [];
+    }
+}
+export function listStoriesByCategory(category, limit = 100, offset = 0) {
+    const database = initDb();
+    try {
+        const stmt = database.prepare('SELECT * FROM stories WHERE category = ? ORDER BY name LIMIT ? OFFSET ?');
+        const rows = stmt.all(category, limit, offset);
+        return rows.map(rowToStory);
+    }
+    catch {
+        return [];
+    }
+}
+export function getStoryCount() {
+    const database = initDb();
+    try {
+        return database.prepare('SELECT COUNT(*) as count FROM stories').get().count;
+    }
+    catch {
+        return 0;
+    }
+}
+export function getTechniqueIds(filters = {}) {
+    const database = initDb();
+    let sql = "SELECT DISTINCT mitre_ids FROM detections WHERE mitre_ids != '[]' AND mitre_ids IS NOT NULL";
+    const params = [];
+    if (filters.source_type) {
+        sql += ' AND source_type = ?';
+        params.push(filters.source_type);
+    }
+    if (filters.tactic) {
+        sql += ' AND mitre_tactics LIKE ?';
+        params.push(`%"${filters.tactic}"%`);
+    }
+    if (filters.severity) {
+        sql += ' AND severity = ?';
+        params.push(filters.severity);
+    }
+    const stmt = database.prepare(sql);
+    const rows = stmt.all(...params);
+    // Extract and dedupe all technique IDs
+    const techniqueSet = new Set();
+    for (const row of rows) {
+        const ids = JSON.parse(row.mitre_ids);
+        for (const id of ids) {
+            techniqueSet.add(id);
+        }
+    }
+    return Array.from(techniqueSet).sort();
+}
+// Threat profiles for gap analysis
+const THREAT_PROFILES = {
+    ransomware: [
+        'T1486', 'T1490', 'T1027', 'T1547.001', 'T1059.001', 'T1059.003',
+        'T1562.001', 'T1112', 'T1070.004', 'T1048', 'T1567', 'T1078',
+        'T1566.001', 'T1204.002', 'T1055', 'T1543.003'
+    ],
+    apt: [
+        'T1003.001', 'T1003.002', 'T1003.003', 'T1021.001', 'T1021.002',
+        'T1053.005', 'T1071.001', 'T1071.004', 'T1105', 'T1027', 'T1055',
+        'T1078', 'T1136', 'T1098', 'T1087', 'T1069', 'T1018', 'T1082'
+    ],
+    'initial-access': [
+        'T1566.001', 'T1566.002', 'T1190', 'T1078', 'T1133', 'T1200',
+        'T1091', 'T1195.002', 'T1199', 'T1189'
+    ],
+    persistence: [
+        'T1547.001', 'T1547.004', 'T1543.003', 'T1053.005', 'T1136.001',
+        'T1098', 'T1505.003', 'T1546.001', 'T1574.001', 'T1574.002'
+    ],
+    'credential-access': [
+        'T1003.001', 'T1003.002', 'T1003.003', 'T1003.004', 'T1003.006',
+        'T1555', 'T1552.001', 'T1110', 'T1558.003', 'T1539', 'T1606.001'
+    ],
+    'defense-evasion': [
+        'T1027', 'T1070.001', 'T1070.004', 'T1055', 'T1036', 'T1562.001',
+        'T1218', 'T1112', 'T1140', 'T1202', 'T1564.001'
+    ]
+};
+// Analyze coverage efficiently
+export function analyzeCoverage(sourceType) {
+    const database = initDb();
+    // Get all technique IDs covered
+    let countSql = 'SELECT COUNT(DISTINCT id) as count FROM detections';
+    if (sourceType)
+        countSql += ' WHERE source_type = ?';
+    const totalDetections = sourceType
+        ? database.prepare(countSql).get(sourceType).count
+        : database.prepare(countSql).get().count;
+    // Get techniques with counts
+    let sql = "SELECT mitre_ids, mitre_tactics FROM detections WHERE mitre_ids != '[]'";
+    if (sourceType)
+        sql += ' AND source_type = ?';
+    const rows = sourceType
+        ? database.prepare(sql).all(sourceType)
+        : database.prepare(sql).all();
+    // Count techniques and tactics
+    const techCounts = {};
+    const tacticCounts = {};
+    const allTactics = [
+        'reconnaissance', 'resource-development', 'initial-access', 'execution',
+        'persistence', 'privilege-escalation', 'defense-evasion', 'credential-access',
+        'discovery', 'lateral-movement', 'collection', 'command-and-control',
+        'exfiltration', 'impact'
+    ];
+    for (const t of allTactics) {
+        tacticCounts[t] = new Set();
+    }
+    for (const row of rows) {
+        const ids = JSON.parse(row.mitre_ids);
+        const tactics = JSON.parse(row.mitre_tactics || '[]');
+        for (const id of ids) {
+            techCounts[id] = (techCounts[id] || 0) + 1;
+            for (const tactic of tactics) {
+                if (tacticCounts[tactic]) {
+                    tacticCounts[tactic].add(id);
+                }
+            }
+        }
+    }
+    // Build coverage by tactic (approx totals from ATT&CK)
+    const tacticTotals = {
+        'reconnaissance': 10, 'resource-development': 8, 'initial-access': 10,
+        'execution': 14, 'persistence': 20, 'privilege-escalation': 14,
+        'defense-evasion': 43, 'credential-access': 17, 'discovery': 31,
+        'lateral-movement': 9, 'collection': 17, 'command-and-control': 18,
+        'exfiltration': 9, 'impact': 14
+    };
+    const coverageByTactic = {};
+    for (const tactic of allTactics) {
+        const covered = tacticCounts[tactic].size;
+        const total = tacticTotals[tactic];
+        coverageByTactic[tactic] = {
+            covered,
+            total,
+            percent: Math.round((covered / total) * 100)
+        };
+    }
+    // Top covered and weak coverage
+    const sorted = Object.entries(techCounts).sort((a, b) => b[1] - a[1]);
+    const topCovered = sorted.slice(0, 10).map(([t, c]) => ({ technique: t, detection_count: c }));
+    const weakCoverage = sorted.filter(([_, c]) => c === 1).slice(0, 10).map(([t, c]) => ({ technique: t, detection_count: c }));
+    return {
+        summary: {
+            total_techniques: Object.keys(techCounts).length,
+            total_detections: totalDetections,
+            coverage_by_tactic: coverageByTactic,
+        },
+        top_covered: topCovered,
+        weak_coverage: weakCoverage,
+    };
+}
+// Identify gaps based on threat profile
+export function identifyGaps(threatProfile, sourceType) {
+    const targetTechniques = THREAT_PROFILES[threatProfile.toLowerCase()] || THREAT_PROFILES['apt'];
+    // Get what we have coverage for
+    const coveredTechs = new Set(getTechniqueIds({ source_type: sourceType }));
+    // Find gaps
+    const gaps = [];
+    const covered = [];
+    for (const tech of targetTechniques) {
+        if (coveredTechs.has(tech)) {
+            covered.push(tech);
+        }
+        else {
+            // Check if we have sub-technique coverage
+            const hasSubCoverage = Array.from(coveredTechs).some(t => t.startsWith(tech + '.'));
+            const hasParentCoverage = coveredTechs.has(tech.split('.')[0]);
+            let priority = 'P0';
+            let reason = 'No detection coverage';
+            if (hasSubCoverage) {
+                priority = 'P2';
+                reason = 'Has sub-technique coverage but not parent';
+            }
+            else if (hasParentCoverage) {
+                priority = 'P1';
+                reason = 'Has parent technique coverage, may catch this';
+            }
+            gaps.push({ technique: tech, priority, reason });
+        }
+    }
+    // Sort by priority
+    gaps.sort((a, b) => a.priority.localeCompare(b.priority));
+    // Generate recommendations
+    const recommendations = [
+        `${covered.length}/${targetTechniques.length} techniques covered for ${threatProfile}`,
+        `${gaps.filter(g => g.priority === 'P0').length} critical gaps (P0) need immediate attention`,
+    ];
+    if (gaps.length > 0) {
+        recommendations.push(`Top priority: ${gaps[0].technique} - ${gaps[0].reason}`);
+    }
+    return {
+        threat_profile: threatProfile,
+        total_gaps: gaps.length,
+        critical_gaps: gaps.slice(0, 15),
+        covered,
+        recommendations,
+    };
+}
+// Suggest detections for a technique
+export function suggestDetections(techniqueId, sourceType) {
+    const database = initDb();
+    // Find existing detections for this technique
+    let sql = "SELECT id, name, source_type, data_sources FROM detections WHERE mitre_ids LIKE ?";
+    const params = [`%"${techniqueId}"%`];
+    if (sourceType) {
+        sql += ' AND source_type = ?';
+        params.push(sourceType);
+    }
+    sql += ' LIMIT 10';
+    const rows = database.prepare(sql).all(...params);
+    const existingDetections = rows.map(r => ({
+        id: r.id,
+        name: r.name,
+        source: r.source_type
+    }));
+    // Collect data sources from existing detections
+    const dataSources = new Set();
+    for (const row of rows) {
+        const ds = JSON.parse(row.data_sources || '[]');
+        ds.forEach(d => dataSources.add(d));
+    }
+    // Generate detection ideas based on technique pattern
+    const ideas = [];
+    const techBase = techniqueId.split('.')[0];
+    const ideaMap = {
+        'T1059': ['Monitor process creation for script interpreters', 'Track command-line arguments for encoded commands', 'Alert on unusual parent-child process relationships'],
+        'T1003': ['Monitor LSASS access patterns', 'Track credential dumping tool signatures', 'Alert on suspicious memory access'],
+        'T1547': ['Monitor registry run key modifications', 'Track startup folder changes', 'Alert on new autostart entries'],
+        'T1055': ['Monitor for CreateRemoteThread', 'Track process injection patterns', 'Alert on memory allocation in remote processes'],
+        'T1027': ['Detect encoded/obfuscated scripts', 'Monitor for packed executables', 'Track file entropy anomalies'],
+        'T1071': ['Monitor for beaconing patterns', 'Track DNS query anomalies', 'Alert on unusual HTTP/S traffic'],
+        'T1486': ['Monitor for mass file modifications', 'Track encryption-related API calls', 'Alert on ransom note creation'],
+        'T1490': ['Monitor vssadmin/wbadmin usage', 'Track backup deletion attempts', 'Alert on bcdedit modifications'],
+    };
+    ideas.push(...(ideaMap[techBase] || ['Review MITRE ATT&CK for detection guidance', 'Check data source requirements', 'Consider behavioral vs signature detection']));
+    return {
+        technique_id: techniqueId,
+        existing_detections: existingDetections,
+        data_sources_needed: Array.from(dataSources).slice(0, 10),
+        detection_ideas: ideas,
+    };
+}
+export function generateNavigatorLayer(options) {
+    const techniqueIds = getTechniqueIds({
+        source_type: options.source_type,
+        tactic: options.tactic,
+        severity: options.severity,
+    });
+    // Build techniques array with scores based on detection count
+    const database = initDb();
+    const techniques = [];
+    // Color gradient: red (no coverage) -> yellow (low) -> green (good)
+    function getColorForScore(score) {
+        if (score >= 80)
+            return '#1a8c1a'; // Dark green - excellent
+        if (score >= 60)
+            return '#8ec843'; // Light green - good
+        if (score >= 40)
+            return '#ffe766'; // Yellow - moderate
+        if (score >= 20)
+            return '#ff9933'; // Orange - low
+        return '#ff6666'; // Red - minimal
+    }
+    for (const techId of techniqueIds) {
+        let countSql = 'SELECT COUNT(*) as count FROM detections WHERE mitre_ids LIKE ?';
+        const countParams = [`%"${techId}"%`];
+        if (options.source_type) {
+            countSql += ' AND source_type = ?';
+            countParams.push(options.source_type);
+        }
+        if (options.tactic) {
+            countSql += ' AND mitre_tactics LIKE ?';
+            countParams.push(`%"${options.tactic}"%`);
+        }
+        const count = database.prepare(countSql).get(...countParams).count;
+        const score = Math.min(count * 20, 100); // Scale: 1 detection = 20, max 100
+        techniques.push({
+            techniqueID: techId,
+            score,
+            comment: `${count} detection(s)`,
+            color: getColorForScore(score),
+            enabled: true,
+            showSubtechniques: false,
+        });
+    }
+    // ATT&CK Navigator layer format
+    return {
+        name: options.name,
+        versions: {
+            attack: '18',
+            navigator: '5.1.0',
+            layer: '4.5',
+        },
+        domain: 'enterprise-attack',
+        description: options.description || `Generated from ${techniqueIds.length} techniques`,
+        filters: { platforms: ['Windows', 'Linux', 'macOS'] },
+        sorting: 0,
+        layout: { layout: 'side', aggregateFunction: 'average', showID: true, showName: true },
+        hideDisabled: false,
+        techniques,
+        gradient: {
+            colors: ['#ff6666', '#ffe766', '#8ec843'],
+            minValue: 0,
+            maxValue: 100,
+        },
+        legendItems: [],
+        metadata: [],
+        links: [],
+        showTacticRowBackground: false,
+        tacticRowBackground: '#dddddd',
+        selectTechniquesAcrossTactics: true,
+        selectSubtechniquesWithParent: false,
+        selectVisibleTechniques: false,
+    };
+}