security-detections-mcp 1.1.0 → 1.2.0

package/dist/db.js

@@ -47,7 +47,11 @@ export function initDb() {
       process_names TEXT,
       file_paths TEXT,
       registry_paths TEXT,
-      mitre_tactics TEXT
+      mitre_tactics TEXT,
+      platforms TEXT,
+      kql_category TEXT,
+      kql_tags TEXT,
+      kql_keywords TEXT
     )
   `);
     // Create FTS5 virtual table for full-text search with all searchable fields
@@ -66,6 +70,10 @@ export function initDb() {
       file_paths,
       registry_paths,
       mitre_tactics,
+      platforms,
+      kql_category,
+      kql_tags,
+      kql_keywords,
       content='detections',
       content_rowid='rowid'
     )
@@ -73,22 +81,22 @@ export function initDb() {
     // Create triggers to keep FTS in sync
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_ai AFTER INSERT ON detections BEGIN
-      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics)
-      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics);
+      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
+      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords);
     END
   `);
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_ad AFTER DELETE ON detections BEGIN
-      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics)
-      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics);
+      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
+      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords);
     END
   `);
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_au AFTER UPDATE ON detections BEGIN
-      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics)
-      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics);
-      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics)
-      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics);
+      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
+      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords);
+      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
+      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords);
     END
   `);
     // Create indexes for common queries
@@ -99,6 +107,7 @@ export function initDb() {
     db.exec(`CREATE INDEX IF NOT EXISTS idx_detection_type ON detections(detection_type)`);
     db.exec(`CREATE INDEX IF NOT EXISTS idx_asset_type ON detections(asset_type)`);
     db.exec(`CREATE INDEX IF NOT EXISTS idx_security_domain ON detections(security_domain)`);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_kql_category ON detections(kql_category)`);
     // Create stories table (optional - provides rich context for analytic stories)
     db.exec(`
     CREATE TABLE IF NOT EXISTS stories (
@@ -167,10 +176,10 @@ export function insertDetection(detection) {
      logsource_product, logsource_service, severity, status, author, 
      date_created, date_modified, refs, falsepositives, tags, file_path, raw_yaml,
      cves, analytic_stories, data_sources, detection_type, asset_type, security_domain,
-     process_names, file_paths, registry_paths, mitre_tactics)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+     process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
   `);
-    stmt.run(detection.id, detection.name, detection.description, detection.query, detection.source_type, JSON.stringify(detection.mitre_ids), detection.logsource_category, detection.logsource_product, detection.logsource_service, detection.severity, detection.status, detection.author, detection.date_created, detection.date_modified, JSON.stringify(detection.references), JSON.stringify(detection.falsepositives), JSON.stringify(detection.tags), detection.file_path, detection.raw_yaml, JSON.stringify(detection.cves), JSON.stringify(detection.analytic_stories), JSON.stringify(detection.data_sources), detection.detection_type, detection.asset_type, detection.security_domain, JSON.stringify(detection.process_names), JSON.stringify(detection.file_paths), JSON.stringify(detection.registry_paths), JSON.stringify(detection.mitre_tactics));
+    stmt.run(detection.id, detection.name, detection.description, detection.query, detection.source_type, JSON.stringify(detection.mitre_ids), detection.logsource_category, detection.logsource_product, detection.logsource_service, detection.severity, detection.status, detection.author, detection.date_created, detection.date_modified, JSON.stringify(detection.references), JSON.stringify(detection.falsepositives), JSON.stringify(detection.tags), detection.file_path, detection.raw_yaml, JSON.stringify(detection.cves), JSON.stringify(detection.analytic_stories), JSON.stringify(detection.data_sources), detection.detection_type, detection.asset_type, detection.security_domain, JSON.stringify(detection.process_names), JSON.stringify(detection.file_paths), JSON.stringify(detection.registry_paths), JSON.stringify(detection.mitre_tactics), JSON.stringify(detection.platforms), detection.kql_category, JSON.stringify(detection.kql_tags), JSON.stringify(detection.kql_keywords));
 }
 function rowToDetection(row) {
     return {
@@ -203,6 +212,10 @@ function rowToDetection(row) {
         file_paths: JSON.parse(row.file_paths || '[]'),
         registry_paths: JSON.parse(row.registry_paths || '[]'),
         mitre_tactics: JSON.parse(row.mitre_tactics || '[]'),
+        platforms: JSON.parse(row.platforms || '[]'),
+        kql_category: row.kql_category,
+        kql_tags: JSON.parse(row.kql_tags || '[]'),
+        kql_keywords: JSON.parse(row.kql_keywords || '[]'),
     };
 }
 export function searchDetections(query, limit = 50) {
@@ -327,6 +340,39 @@ export function listByDataSource(dataSource, limit = 100, offset = 0) {
     const rows = stmt.all(`%${dataSource}%`, limit, offset);
     return rows.map(rowToDetection);
 }
+export function listByKqlCategory(category, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    SELECT * FROM detections
+    WHERE source_type = 'kql' AND kql_category = ?
+    ORDER BY name
+    LIMIT ? OFFSET ?
+  `);
+    const rows = stmt.all(category, limit, offset);
+    return rows.map(rowToDetection);
+}
+export function listByKqlTag(tag, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    SELECT * FROM detections
+    WHERE source_type = 'kql' AND kql_tags LIKE ?
+    ORDER BY name
+    LIMIT ? OFFSET ?
+  `);
+    const rows = stmt.all(`%"${tag}"%`, limit, offset);
+    return rows.map(rowToDetection);
+}
+export function listByKqlDatasource(dataSource, limit = 100, offset = 0) {
+    const database = initDb();
+    const stmt = database.prepare(`
+    SELECT * FROM detections
+    WHERE source_type = 'kql' AND data_sources LIKE ?
+    ORDER BY name
+    LIMIT ? OFFSET ?
+  `);
+    const rows = stmt.all(`%${dataSource}%`, limit, offset);
+    return rows.map(rowToDetection);
+}
 export function listByMitreTactic(tactic, limit = 100, offset = 0) {
     const database = initDb();
     const stmt = database.prepare(`
@@ -344,6 +390,7 @@ export function getStats() {
     const sigma = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'sigma'").get().count;
     const splunk = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'splunk_escu'").get().count;
     const elastic = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'elastic'").get().count;
+    const kql = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'kql'").get().count;
     // Count by severity
     const severityRows = database.prepare(`
     SELECT severity, COUNT(*) as count FROM detections 
@@ -420,6 +467,7 @@ export function getStats() {
         sigma,
         splunk_escu: splunk,
         elastic,
+        kql,
         by_severity,
         by_logsource_product,
         mitre_coverage,
@@ -533,3 +581,297 @@ export function getStoryCount() {
         return 0;
     }
 }
+export function getTechniqueIds(filters = {}) {
+    const database = initDb();
+    let sql = "SELECT DISTINCT mitre_ids FROM detections WHERE mitre_ids != '[]' AND mitre_ids IS NOT NULL";
+    const params = [];
+    if (filters.source_type) {
+        sql += ' AND source_type = ?';
+        params.push(filters.source_type);
+    }
+    if (filters.tactic) {
+        sql += ' AND mitre_tactics LIKE ?';
+        params.push(`%"${filters.tactic}"%`);
+    }
+    if (filters.severity) {
+        sql += ' AND severity = ?';
+        params.push(filters.severity);
+    }
+    const stmt = database.prepare(sql);
+    const rows = stmt.all(...params);
+    // Extract and dedupe all technique IDs
+    const techniqueSet = new Set();
+    for (const row of rows) {
+        const ids = JSON.parse(row.mitre_ids);
+        for (const id of ids) {
+            techniqueSet.add(id);
+        }
+    }
+    return Array.from(techniqueSet).sort();
+}
+// Threat profiles for gap analysis
+const THREAT_PROFILES = {
+    ransomware: [
+        'T1486', 'T1490', 'T1027', 'T1547.001', 'T1059.001', 'T1059.003',
+        'T1562.001', 'T1112', 'T1070.004', 'T1048', 'T1567', 'T1078',
+        'T1566.001', 'T1204.002', 'T1055', 'T1543.003'
+    ],
+    apt: [
+        'T1003.001', 'T1003.002', 'T1003.003', 'T1021.001', 'T1021.002',
+        'T1053.005', 'T1071.001', 'T1071.004', 'T1105', 'T1027', 'T1055',
+        'T1078', 'T1136', 'T1098', 'T1087', 'T1069', 'T1018', 'T1082'
+    ],
+    'initial-access': [
+        'T1566.001', 'T1566.002', 'T1190', 'T1078', 'T1133', 'T1200',
+        'T1091', 'T1195.002', 'T1199', 'T1189'
+    ],
+    persistence: [
+        'T1547.001', 'T1547.004', 'T1543.003', 'T1053.005', 'T1136.001',
+        'T1098', 'T1505.003', 'T1546.001', 'T1574.001', 'T1574.002'
+    ],
+    'credential-access': [
+        'T1003.001', 'T1003.002', 'T1003.003', 'T1003.004', 'T1003.006',
+        'T1555', 'T1552.001', 'T1110', 'T1558.003', 'T1539', 'T1606.001'
+    ],
+    'defense-evasion': [
+        'T1027', 'T1070.001', 'T1070.004', 'T1055', 'T1036', 'T1562.001',
+        'T1218', 'T1112', 'T1140', 'T1202', 'T1564.001'
+    ]
+};
+// Analyze coverage efficiently
+export function analyzeCoverage(sourceType) {
+    const database = initDb();
+    // Get all technique IDs covered
+    let countSql = 'SELECT COUNT(DISTINCT id) as count FROM detections';
+    if (sourceType)
+        countSql += ' WHERE source_type = ?';
+    const totalDetections = sourceType
+        ? database.prepare(countSql).get(sourceType).count
+        : database.prepare(countSql).get().count;
+    // Get techniques with counts
+    let sql = "SELECT mitre_ids, mitre_tactics FROM detections WHERE mitre_ids != '[]'";
+    if (sourceType)
+        sql += ' AND source_type = ?';
+    const rows = sourceType
+        ? database.prepare(sql).all(sourceType)
+        : database.prepare(sql).all();
+    // Count techniques and tactics
+    const techCounts = {};
+    const tacticCounts = {};
+    const allTactics = [
+        'reconnaissance', 'resource-development', 'initial-access', 'execution',
+        'persistence', 'privilege-escalation', 'defense-evasion', 'credential-access',
+        'discovery', 'lateral-movement', 'collection', 'command-and-control',
+        'exfiltration', 'impact'
+    ];
+    for (const t of allTactics) {
+        tacticCounts[t] = new Set();
+    }
+    for (const row of rows) {
+        const ids = JSON.parse(row.mitre_ids);
+        const tactics = JSON.parse(row.mitre_tactics || '[]');
+        for (const id of ids) {
+            techCounts[id] = (techCounts[id] || 0) + 1;
+            for (const tactic of tactics) {
+                if (tacticCounts[tactic]) {
+                    tacticCounts[tactic].add(id);
+                }
+            }
+        }
+    }
+    // Build coverage by tactic (approx totals from ATT&CK)
+    const tacticTotals = {
+        'reconnaissance': 10, 'resource-development': 8, 'initial-access': 10,
+        'execution': 14, 'persistence': 20, 'privilege-escalation': 14,
+        'defense-evasion': 43, 'credential-access': 17, 'discovery': 31,
+        'lateral-movement': 9, 'collection': 17, 'command-and-control': 18,
+        'exfiltration': 9, 'impact': 14
+    };
+    const coverageByTactic = {};
+    for (const tactic of allTactics) {
+        const covered = tacticCounts[tactic].size;
+        const total = tacticTotals[tactic];
+        coverageByTactic[tactic] = {
+            covered,
+            total,
+            percent: Math.round((covered / total) * 100)
+        };
+    }
+    // Top covered and weak coverage
+    const sorted = Object.entries(techCounts).sort((a, b) => b[1] - a[1]);
+    const topCovered = sorted.slice(0, 10).map(([t, c]) => ({ technique: t, detection_count: c }));
+    const weakCoverage = sorted.filter(([_, c]) => c === 1).slice(0, 10).map(([t, c]) => ({ technique: t, detection_count: c }));
+    return {
+        summary: {
+            total_techniques: Object.keys(techCounts).length,
+            total_detections: totalDetections,
+            coverage_by_tactic: coverageByTactic,
+        },
+        top_covered: topCovered,
+        weak_coverage: weakCoverage,
+    };
+}
+// Identify gaps based on threat profile
+export function identifyGaps(threatProfile, sourceType) {
+    const targetTechniques = THREAT_PROFILES[threatProfile.toLowerCase()] || THREAT_PROFILES['apt'];
+    // Get what we have coverage for
+    const coveredTechs = new Set(getTechniqueIds({ source_type: sourceType }));
+    // Find gaps
+    const gaps = [];
+    const covered = [];
+    for (const tech of targetTechniques) {
+        if (coveredTechs.has(tech)) {
+            covered.push(tech);
+        }
+        else {
+            // Check if we have sub-technique coverage
+            const hasSubCoverage = Array.from(coveredTechs).some(t => t.startsWith(tech + '.'));
+            const hasParentCoverage = coveredTechs.has(tech.split('.')[0]);
+            let priority = 'P0';
+            let reason = 'No detection coverage';
+            if (hasSubCoverage) {
+                priority = 'P2';
+                reason = 'Has sub-technique coverage but not parent';
+            }
+            else if (hasParentCoverage) {
+                priority = 'P1';
+                reason = 'Has parent technique coverage, may catch this';
+            }
+            gaps.push({ technique: tech, priority, reason });
+        }
+    }
+    // Sort by priority
+    gaps.sort((a, b) => a.priority.localeCompare(b.priority));
+    // Generate recommendations
+    const recommendations = [
+        `${covered.length}/${targetTechniques.length} techniques covered for ${threatProfile}`,
+        `${gaps.filter(g => g.priority === 'P0').length} critical gaps (P0) need immediate attention`,
+    ];
+    if (gaps.length > 0) {
+        recommendations.push(`Top priority: ${gaps[0].technique} - ${gaps[0].reason}`);
+    }
+    return {
+        threat_profile: threatProfile,
+        total_gaps: gaps.length,
+        critical_gaps: gaps.slice(0, 15),
+        covered,
+        recommendations,
+    };
+}
+// Suggest detections for a technique
+export function suggestDetections(techniqueId, sourceType) {
+    const database = initDb();
+    // Find existing detections for this technique
+    let sql = "SELECT id, name, source_type, data_sources FROM detections WHERE mitre_ids LIKE ?";
+    const params = [`%"${techniqueId}"%`];
+    if (sourceType) {
+        sql += ' AND source_type = ?';
+        params.push(sourceType);
+    }
+    sql += ' LIMIT 10';
+    const rows = database.prepare(sql).all(...params);
+    const existingDetections = rows.map(r => ({
+        id: r.id,
+        name: r.name,
+        source: r.source_type
+    }));
+    // Collect data sources from existing detections
+    const dataSources = new Set();
+    for (const row of rows) {
+        const ds = JSON.parse(row.data_sources || '[]');
+        ds.forEach(d => dataSources.add(d));
+    }
+    // Generate detection ideas based on technique pattern
+    const ideas = [];
+    const techBase = techniqueId.split('.')[0];
+    const ideaMap = {
+        'T1059': ['Monitor process creation for script interpreters', 'Track command-line arguments for encoded commands', 'Alert on unusual parent-child process relationships'],
+        'T1003': ['Monitor LSASS access patterns', 'Track credential dumping tool signatures', 'Alert on suspicious memory access'],
+        'T1547': ['Monitor registry run key modifications', 'Track startup folder changes', 'Alert on new autostart entries'],
+        'T1055': ['Monitor for CreateRemoteThread', 'Track process injection patterns', 'Alert on memory allocation in remote processes'],
+        'T1027': ['Detect encoded/obfuscated scripts', 'Monitor for packed executables', 'Track file entropy anomalies'],
+        'T1071': ['Monitor for beaconing patterns', 'Track DNS query anomalies', 'Alert on unusual HTTP/S traffic'],
+        'T1486': ['Monitor for mass file modifications', 'Track encryption-related API calls', 'Alert on ransom note creation'],
+        'T1490': ['Monitor vssadmin/wbadmin usage', 'Track backup deletion attempts', 'Alert on bcdedit modifications'],
+    };
+    ideas.push(...(ideaMap[techBase] || ['Review MITRE ATT&CK for detection guidance', 'Check data source requirements', 'Consider behavioral vs signature detection']));
+    return {
+        technique_id: techniqueId,
+        existing_detections: existingDetections,
+        data_sources_needed: Array.from(dataSources).slice(0, 10),
+        detection_ideas: ideas,
+    };
+}
+export function generateNavigatorLayer(options) {
+    const techniqueIds = getTechniqueIds({
+        source_type: options.source_type,
+        tactic: options.tactic,
+        severity: options.severity,
+    });
+    // Build techniques array with scores based on detection count
+    const database = initDb();
+    const techniques = [];
+    // Color gradient: red (no coverage) -> yellow (low) -> green (good)
+    function getColorForScore(score) {
+        if (score >= 80)
+            return '#1a8c1a'; // Dark green - excellent
+        if (score >= 60)
+            return '#8ec843'; // Light green - good
+        if (score >= 40)
+            return '#ffe766'; // Yellow - moderate
+        if (score >= 20)
+            return '#ff9933'; // Orange - low
+        return '#ff6666'; // Red - minimal
+    }
+    for (const techId of techniqueIds) {
+        let countSql = 'SELECT COUNT(*) as count FROM detections WHERE mitre_ids LIKE ?';
+        const countParams = [`%"${techId}"%`];
+        if (options.source_type) {
+            countSql += ' AND source_type = ?';
+            countParams.push(options.source_type);
+        }
+        if (options.tactic) {
+            countSql += ' AND mitre_tactics LIKE ?';
+            countParams.push(`%"${options.tactic}"%`);
+        }
+        const count = database.prepare(countSql).get(...countParams).count;
+        const score = Math.min(count * 20, 100); // Scale: 1 detection = 20, max 100
+        techniques.push({
+            techniqueID: techId,
+            score,
+            comment: `${count} detection(s)`,
+            color: getColorForScore(score),
+            enabled: true,
+            showSubtechniques: false,
+        });
+    }
+    // ATT&CK Navigator layer format
+    return {
+        name: options.name,
+        versions: {
+            attack: '18',
+            navigator: '5.1.0',
+            layer: '4.5',
+        },
+        domain: 'enterprise-attack',
+        description: options.description || `Generated from ${techniqueIds.length} techniques`,
+        filters: { platforms: ['Windows', 'Linux', 'macOS'] },
+        sorting: 0,
+        layout: { layout: 'side', aggregateFunction: 'average', showID: true, showName: true },
+        hideDisabled: false,
+        techniques,
+        gradient: {
+            colors: ['#ff6666', '#ffe766', '#8ec843'],
+            minValue: 0,
+            maxValue: 100,
+        },
+        legendItems: [],
+        metadata: [],
+        links: [],
+        showTacticRowBackground: false,
+        tacticRowBackground: '#dddddd',
+        selectTechniquesAcrossTactics: true,
+        selectSubtechniquesWithParent: false,
+        selectVisibleTechniques: false,
+    };
+}