security-detections-mcp 3.1.0 → 3.2.0

package/README.md

@@ -3,11 +3,135 @@
 An MCP (Model Context Protocol) server that lets LLMs query a unified database of **Sigma**, **Splunk ESCU**, **Elastic**, **KQL**, **Sublime**, and **CrowdStrike CQL** security detection rules.
 
 > **New here? Start with the [Setup Guide](./SETUP.md)** -- covers macOS, Windows (WSL & native), and Linux step by step.
+>
+> **Want it hosted? Skip the install entirely: [Hosted MCP Setup Guide](./docs/HOSTED_MCP.md)**
 
-## What's New in 3.1 - New Detection Sources
+## Two Ways to Run It
+
+**Local (full power)** — the npm package you're looking at. Runs on your machine, indexes your own detection repos, exposes all 81 tools. You need Node.js and ~10 minutes.
+
+**Hosted (zero setup)** — a Streamable HTTP server at [`detect.michaelhaag.org/api/mcp/mcp`](https://detect.michaelhaag.org/mcp). Sign up, generate a token, paste one URL into your MCP client. ~25 read-only tools, always in sync with the latest content, 200 calls/day free. Read on for quick-install buttons.
+
+### Install — Local (Cursor)
+
+[![Install Local MCP in Cursor](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=security-detections&config=eyJjb21tYW5kIjoibnB4IiwiYXJncyI6WyIteSIsInNlY3VyaXR5LWRldGVjdGlvbnMtbWNwIl0sImVudiI6eyJTSUdNQV9QQVRIUyI6Ii9wYXRoL3RvL3NpZ21hL3J1bGVzLC9wYXRoL3RvL3NpZ21hL3J1bGVzLXRocmVhdC1odW50aW5nIiwiU1BMVU5LX1BBVEhTIjoiL3BhdGgvdG8vc2VjdXJpdHlfY29udGVudC9kZXRlY3Rpb25zIiwiU1RPUllfUEFUSFMiOiIvcGF0aC90by9zZWN1cml0eV9jb250ZW50L3N0b3JpZXMiLCJFTEFTVElDX1BBVEhTIjoiL3BhdGgvdG8vZGV0ZWN0aW9uLXJ1bGVzL3J1bGVzIiwiS1FMX1BBVEhTIjoiL3BhdGgvdG8va3FsLXJ1bGVzIiwiU1VCTElNRV9QQVRIUyI6Ii9wYXRoL3RvL3N1YmxpbWUtcnVsZXMvZGV0ZWN0aW9uLXJ1bGVzIiwiQ1FMX0hVQl9QQVRIUyI6Ii9wYXRoL3RvL2NxbC1odWIvcXVlcmllcyJ9fQ==)
+
+### Install — Hosted (no setup, token required)
+
+1. **Create a token** at [detect.michaelhaag.org/account/tokens](https://detect.michaelhaag.org/account/tokens). Free tier: 200 calls/day, all read-only tools.
+2. **Click the button for your client** — replace `sdmcp_YOUR_TOKEN_HERE` in the resulting config with the token you just generated.
+
+[![Install Hosted MCP in Cursor](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=security-detections-hosted&config=eyJ1cmwiOiJodHRwczovL2RldGVjdC5taWNoYWVsaGFhZy5vcmcvYXBpL21jcC9tY3AiLCJoZWFkZXJzIjp7IkF1dGhvcml6YXRpb24iOiJCZWFyZXIgc2RtY3BfWU9VUl9UT0tFTl9IRVJFIn19)
+[![Install Hosted MCP in VS Code](https://img.shields.io/badge/VS_Code-Install_Hosted_MCP-0078d4?style=for-the-badge&logo=visualstudiocode&logoColor=white)](vscode:mcp/install?%7B%22name%22%3A%22security-detections%22%2C%22type%22%3A%22http%22%2C%22url%22%3A%22https%3A//detect.michaelhaag.org/api/mcp/mcp%22%2C%22headers%22%3A%7B%22Authorization%22%3A%22Bearer%20sdmcp_YOUR_TOKEN_HERE%22%7D%7D)
+[![Install Hosted MCP in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install_Hosted_MCP-24bfa5?style=for-the-badge&logo=visualstudiocode&logoColor=white)](vscode-insiders:mcp/install?%7B%22name%22%3A%22security-detections%22%2C%22type%22%3A%22http%22%2C%22url%22%3A%22https%3A//detect.michaelhaag.org/api/mcp/mcp%22%2C%22headers%22%3A%7B%22Authorization%22%3A%22Bearer%20sdmcp_YOUR_TOKEN_HERE%22%7D%7D)
+
+**Claude Code** (CLI one-liner):
+
+```bash
+claude mcp add --transport http security-detections \
+  https://detect.michaelhaag.org/api/mcp/mcp \
+  --header "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"
+```
+
+**Claude Desktop** (via [`mcp-remote`](https://github.com/geelen/mcp-remote) — Desktop doesn't speak remote HTTP natively yet):
+
+```json
+{
+  "mcpServers": {
+    "security-detections": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "mcp-remote",
+        "https://detect.michaelhaag.org/api/mcp/mcp",
+        "--header",
+        "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"
+      ]
+    }
+  }
+}
+```
+
+**OpenAI Codex** (CLI):
+
+```bash
+codex mcp add security-detections \
+  --transport http https://detect.michaelhaag.org/api/mcp/mcp \
+  --header "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"
+```
+
+See the [Hosted MCP Setup Guide](./docs/HOSTED_MCP.md) for the full table of clients, the complete tool inventory, and troubleshooting tips.
+
+## What's New in 3.2
+
+### MITRE ATT&CK STIX Integration & Threat Actor Coverage
+
+Ingest the official MITRE ATT&CK STIX bundle to auto-populate **172 threat actors**, **784 software/malware**, and **4,362 actor-technique relationships**. Answer "What's our coverage against APT29?" with a single tool call.
+
+- **`analyze_actor_coverage`** - Coverage analysis against a specific threat actor: which of their known techniques have detections, coverage %, and prioritized gaps
+- **`list_actors`** - Browse all 172 MITRE ATT&CK threat actors with technique counts
+- **`compare_actor_coverage`** - Compare coverage across multiple actors, find shared gaps
+- **`get_actor_profile`** - Full actor dossier: description, aliases, techniques, software, coverage status
+
+```
+"What's our coverage against APT29?"
+
+APT29 (Cozy Bear, Midnight Blizzard, NOBELIUM)
+Techniques: 66 | Covered: 48 | Gaps: 18 | Coverage: 73%
+
+  By Tactic:
+    credential-access: 7/8 (88%)    persistence: 12/15 (80%)
+    defense-evasion: 10/15 (67%)    initial-access: 5/9 (56%)
+
+  Priority Gaps:
+    T1021.007 Cloud Services (lateral-movement)
+    T1556.006 Multi-Factor Authentication (credential-access, defense-evasion)
+    T1550.004 Web Session Cookie (defense-evasion, lateral-movement)
+```
+
+**Setup**: Download `enterprise-attack.json` and set `ATTACK_STIX_PATH`:
+```bash
+git clone https://github.com/mitre-attack/attack-stix-data.git
+# Set ATTACK_STIX_PATH=/path/to/attack-stix-data/enterprise-attack/enterprise-attack.json
+```
+
+### Materialized Relationship Graph
+
+Junction tables (`detection_techniques`, `technique_tactics`) replace JSON LIKE scans with indexed JOINs. Queries like `list_by_mitre` are now backed by proper SQL joins instead of `WHERE mitre_ids LIKE '%T1059%'` patterns. Dynamic tactic totals from STIX replace hardcoded values in coverage analysis.
+
+### Procedure-Level Coverage Analysis
+
+Go beyond "we cover T1059.001" to answer **which specific behaviors** your detections actually catch. Auto-extracted from 8,200+ detection rules at index time.
+
+- **`analyze_procedure_coverage`** - Break down a technique into behavioral procedures (encoded commands, download cradles, AMSI bypass, etc.) and show which ones your detections cover vs. miss
+- **`compare_procedure_coverage`** - Cross-source matrix showing which source catches which procedures — reveals single-source gaps and redundancy
+- **`generate_navigator_layer`** - Export ATT&CK Navigator JSON layers, filterable by source/tactic/severity/actor, ready to import at [mitre-attack.github.io/attack-navigator](https://mitre-attack.github.io/attack-navigator/)
+
+```
+"Are we actually covered for credential dumping?"
+
+T1003.001 — LSASS Memory
+Detections: 109 | Depth: moderate | Procedures: 45/59 (76%)
+
+  ✓ LSASS Memory Access        40 detections  [sigma, splunk_escu, elastic]
+  ✓ Mimikatz Usage              10 detections  [sigma, elastic]
+  ✓ Comsvcs.dll MiniDump         6 detections  [sigma, elastic, splunk_escu]
+  ✓ ProcDump LSASS Dump          8 detections  [sigma, splunk_escu, elastic]
+  ✗ NanoDump / Custom Dumpers   — single-source gap (sigma only)
+```
+
+Procedures are **auto-extracted at index time** — when new detection sources are added, procedure coverage regenerates automatically. 16 high-priority techniques have hand-curated procedure data; the rest are auto-clustered from detection queries, descriptions, and process names.
+
+### New Detection Sources
 
 - **CrowdStrike CQL Hub** - Query and search CrowdStrike Query Language (CQL) detections from the CQL Hub community repository
-- **Sublime Rules** - Query and search Sublime Security detection rules for email-based threats
+- **Sublime Rules** - Query and search Sublime Security detection rules for email-based threats (now mapped to MITRE ATT&CK techniques)
+
+## What's New in 3.1 - CQL Hub & Sublime Sources
+
+- Added CrowdStrike CQL Hub and Sublime Security as detection sources
+- Sublime rules now mapped to MITRE ATT&CK technique IDs via `attack_types` and `tactics_and_techniques`
+- Updated ATT&CK Navigator layer generation to v18.1 / Navigator v5.3.1
 
 ## What's New in 3.0 - Autonomous Detection Platform
 
@@ -96,10 +220,6 @@ The autonomous pipeline integrates with existing MCPs:
 
 See the [Autonomous Platform Documentation](./docs/AUTONOMOUS.md) for full details, and the [E2E Testing Guide](./docs/E2E-TESTING-GUIDE.md) for per-SIEM setup (Splunk, Sentinel, Elastic, Sigma).
 
-[![Install MCP Server](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=security-detections&config=eyJjb21tYW5kIjoibnB4IiwiYXJncyI6WyIteSIsInNlY3VyaXR5LWRldGVjdGlvbnMtbWNwIl0sImVudiI6eyJTSUdNQV9QQVRIUyI6Ii9wYXRoL3RvL3NpZ21hL3J1bGVzLC9wYXRoL3RvL3NpZ21hL3J1bGVzLXRocmVhdC1odW50aW5nIiwiU1BMVU5LX1BBVEhTIjoiL3BhdGgvdG8vc2VjdXJpdHlfY29udGVudC9kZXRlY3Rpb25zIiwiU1RPUllfUEFUSFMiOiIvcGF0aC90by9zZWN1cml0eV9jb250ZW50L3N0b3JpZXMiLCJFTEFTVElDX1BBVEhTIjoiL3BhdGgvdG8vZGV0ZWN0aW9uLXJ1bGVzL3J1bGVzIiwiS1FMX1BBVEhTIjoiL3BhdGgvdG8va3FsLXJ1bGVzIn19)
-
-> **Detailed setup**: See the **[Setup Guide](./SETUP.md)** for step-by-step install on macOS, Windows (WSL & native), and Linux with troubleshooting for common issues.
-
 ## 🐛 Version 2.1.1 (Bug Fix)
 
 - **Fixed Windows EBUSY crash** - SQLite database recreation now handles Windows file locking with retry logic. Previously, Windows users would get `EBUSY: resource busy or locked` on startup.

package/dist/db/attack.d.ts

@@ -0,0 +1,102 @@
+/**
+ * ATT&CK Data Access Layer
+ *
+ * Query functions for MITRE ATT&CK STIX-sourced data:
+ * threat actors, software, technique coverage, and actor-based gap analysis.
+ */
+export interface AttackActor {
+    actor_id: string;
+    name: string;
+    aliases: string[];
+    description: string | null;
+    external_references: unknown[];
+    created: string | null;
+    modified: string | null;
+}
+export interface AttackTechnique {
+    technique_id: string;
+    name: string;
+    description: string | null;
+    platforms: string[];
+    data_sources: string[];
+    is_subtechnique: boolean;
+    parent_technique_id: string | null;
+    url: string | null;
+}
+export interface AttackSoftware {
+    software_id: string;
+    name: string;
+    software_type: string;
+    description: string | null;
+    platforms: string[];
+    aliases: string[];
+}
+export interface ActorTechnique {
+    technique_id: string;
+    technique_name: string;
+    description: string | null;
+    detection_count: number;
+    tactics: string[];
+}
+export interface ActorCoverageResult {
+    actor: AttackActor;
+    total_techniques: number;
+    covered_count: number;
+    gap_count: number;
+    coverage_percentage: number;
+    covered_techniques: ActorTechnique[];
+    gap_techniques: ActorTechnique[];
+    by_tactic: Record<string, {
+        total: number;
+        covered: number;
+        percentage: number;
+    }>;
+}
+export interface ActorListItem {
+    actor_id: string;
+    name: string;
+    aliases: string[];
+    technique_count: number;
+}
+/**
+ * Check if STIX data has been loaded into the database.
+ */
+export declare function isStixLoaded(): boolean;
+/**
+ * Find a threat actor by name or alias (case-insensitive).
+ */
+export declare function getActorByName(name: string): AttackActor | null;
+/**
+ * List all threat actors, optionally filtered by search term.
+ */
+export declare function listActors(search?: string, limit?: number): ActorListItem[];
+/**
+ * Get all techniques used by a specific actor, with detection coverage info.
+ */
+export declare function getActorTechniques(actorId: string): ActorTechnique[];
+/**
+ * Get full detection coverage analysis for a threat actor.
+ */
+export declare function getActorCoverage(actorId: string, sourceType?: string): ActorCoverageResult;
+/**
+ * Get all software used by a specific actor.
+ */
+export declare function getSoftwareForActor(actorId: string): AttackSoftware[];
+/**
+ * Get all threat actors that use a specific technique.
+ */
+export declare function getTechniqueActors(techniqueId: string): AttackActor[];
+/**
+ * Get a technique from the ATT&CK catalog.
+ */
+export declare function getAttackTechnique(techniqueId: string): AttackTechnique | null;
+/**
+ * Get total counts for ATT&CK data.
+ */
+export declare function getAttackStats(): {
+    techniques: number;
+    actors: number;
+    software: number;
+    actor_technique_links: number;
+    software_technique_links: number;
+};

package/dist/db/attack.js

@@ -0,0 +1,311 @@
+/**
+ * ATT&CK Data Access Layer
+ *
+ * Query functions for MITRE ATT&CK STIX-sourced data:
+ * threat actors, software, technique coverage, and actor-based gap analysis.
+ */
+import { getDb } from './connection.js';
+import { safeJsonParse } from '../utils/helpers.js';
+// =============================================================================
+// HELPERS
+// =============================================================================
+function rowToActor(row) {
+    return {
+        actor_id: row.actor_id,
+        name: row.name,
+        aliases: safeJsonParse(row.aliases, []),
+        description: row.description || null,
+        external_references: safeJsonParse(row.external_references, []),
+        created: row.created || null,
+        modified: row.modified || null,
+    };
+}
+function rowToTechnique(row) {
+    return {
+        technique_id: row.technique_id,
+        name: row.name,
+        description: row.description || null,
+        platforms: safeJsonParse(row.platforms, []),
+        data_sources: safeJsonParse(row.data_sources, []),
+        is_subtechnique: row.is_subtechnique === 1,
+        parent_technique_id: row.parent_technique_id || null,
+        url: row.url || null,
+    };
+}
+function rowToSoftware(row) {
+    return {
+        software_id: row.software_id,
+        name: row.name,
+        software_type: row.software_type || 'unknown',
+        description: row.description || null,
+        platforms: safeJsonParse(row.platforms, []),
+        aliases: safeJsonParse(row.aliases, []),
+    };
+}
+// =============================================================================
+// QUERY FUNCTIONS
+// =============================================================================
+/**
+ * Check if STIX data has been loaded into the database.
+ */
+export function isStixLoaded() {
+    try {
+        const row = getDb().prepare('SELECT COUNT(*) as count FROM attack_actors').get();
+        return row.count > 0;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Find a threat actor by name or alias (case-insensitive).
+ */
+export function getActorByName(name) {
+    const database = getDb();
+    // Try exact name match first
+    let row = database.prepare('SELECT * FROM attack_actors WHERE name = ? COLLATE NOCASE').get(name);
+    if (row)
+        return rowToActor(row);
+    // Try alias match
+    row = database.prepare("SELECT * FROM attack_actors WHERE aliases LIKE ? COLLATE NOCASE").get(`%"${name}"%`);
+    if (row)
+        return rowToActor(row);
+    // Try partial name match
+    row = database.prepare('SELECT * FROM attack_actors WHERE name LIKE ? COLLATE NOCASE').get(`%${name}%`);
+    return row ? rowToActor(row) : null;
+}
+/**
+ * List all threat actors, optionally filtered by search term.
+ */
+export function listActors(search, limit = 100) {
+    const database = getDb();
+    let query;
+    let params;
+    if (search) {
+        query = `
+      SELECT a.*, COUNT(at.technique_id) as technique_count
+      FROM attack_actors a
+      LEFT JOIN actor_techniques at ON a.actor_id = at.actor_id
+      WHERE a.name LIKE ? COLLATE NOCASE OR a.aliases LIKE ? COLLATE NOCASE
+      GROUP BY a.actor_id
+      ORDER BY technique_count DESC
+      LIMIT ?
+    `;
+        params = [`%${search}%`, `%${search}%`, limit];
+    }
+    else {
+        query = `
+      SELECT a.*, COUNT(at.technique_id) as technique_count
+      FROM attack_actors a
+      LEFT JOIN actor_techniques at ON a.actor_id = at.actor_id
+      GROUP BY a.actor_id
+      ORDER BY technique_count DESC
+      LIMIT ?
+    `;
+        params = [limit];
+    }
+    const rows = database.prepare(query).all(...params);
+    return rows.map(row => ({
+        actor_id: row.actor_id,
+        name: row.name,
+        aliases: safeJsonParse(row.aliases, []),
+        technique_count: row.technique_count || 0,
+    }));
+}
+/**
+ * Get all techniques used by a specific actor, with detection coverage info.
+ */
+export function getActorTechniques(actorId) {
+    const database = getDb();
+    const rows = database.prepare(`
+    SELECT
+      at.technique_id,
+      COALESCE(atk.name, at.technique_id) as technique_name,
+      at.description,
+      COUNT(DISTINCT dt.detection_id) as detection_count
+    FROM actor_techniques at
+    LEFT JOIN attack_techniques atk ON at.technique_id = atk.technique_id
+    LEFT JOIN detection_techniques dt ON at.technique_id = dt.technique_id
+    WHERE at.actor_id = ?
+    GROUP BY at.technique_id
+    ORDER BY detection_count DESC
+  `).all(actorId);
+    // Get tactics for each technique
+    return rows.map(row => {
+        const techId = row.technique_id;
+        const tacticRows = database.prepare('SELECT tactic_name FROM technique_tactics WHERE technique_id = ?').all(techId);
+        return {
+            technique_id: techId,
+            technique_name: row.technique_name,
+            description: row.description || null,
+            detection_count: row.detection_count || 0,
+            tactics: tacticRows.map(r => r.tactic_name),
+        };
+    });
+}
+/**
+ * Get full detection coverage analysis for a threat actor.
+ */
+export function getActorCoverage(actorId, sourceType) {
+    const database = getDb();
+    // Get the actor
+    const actorRow = database.prepare('SELECT * FROM attack_actors WHERE actor_id = ?').get(actorId);
+    if (!actorRow) {
+        throw new Error(`Actor not found: ${actorId}`);
+    }
+    const actor = rowToActor(actorRow);
+    // Get all techniques for this actor with detection counts
+    let detectionCountQuery;
+    let queryParams;
+    if (sourceType) {
+        detectionCountQuery = `
+      SELECT
+        at.technique_id,
+        COALESCE(atk.name, at.technique_id) as technique_name,
+        at.description,
+        COUNT(DISTINCT dt.detection_id) as detection_count
+      FROM actor_techniques at
+      LEFT JOIN attack_techniques atk ON at.technique_id = atk.technique_id
+      LEFT JOIN detection_techniques dt ON at.technique_id = dt.technique_id
+      LEFT JOIN detections d ON dt.detection_id = d.id AND d.source_type = ?
+      WHERE at.actor_id = ?
+      GROUP BY at.technique_id
+      ORDER BY detection_count DESC
+    `;
+        queryParams = [sourceType, actorId];
+    }
+    else {
+        detectionCountQuery = `
+      SELECT
+        at.technique_id,
+        COALESCE(atk.name, at.technique_id) as technique_name,
+        at.description,
+        COUNT(DISTINCT dt.detection_id) as detection_count
+      FROM actor_techniques at
+      LEFT JOIN attack_techniques atk ON at.technique_id = atk.technique_id
+      LEFT JOIN detection_techniques dt ON at.technique_id = dt.technique_id
+      WHERE at.actor_id = ?
+      GROUP BY at.technique_id
+      ORDER BY detection_count DESC
+    `;
+        queryParams = [actorId];
+    }
+    const rows = database.prepare(detectionCountQuery).all(...queryParams);
+    const covered = [];
+    const gaps = [];
+    const byTactic = {};
+    for (const row of rows) {
+        const techId = row.technique_id;
+        const detectionCount = row.detection_count || 0;
+        // Get tactics for this technique
+        const tacticRows = database.prepare('SELECT tactic_name FROM technique_tactics WHERE technique_id = ?').all(techId);
+        const tactics = tacticRows.map(r => r.tactic_name);
+        const entry = {
+            technique_id: techId,
+            technique_name: row.technique_name,
+            description: row.description || null,
+            detection_count: detectionCount,
+            tactics,
+        };
+        if (detectionCount > 0) {
+            covered.push(entry);
+        }
+        else {
+            gaps.push(entry);
+        }
+        // Aggregate by tactic
+        for (const tactic of tactics) {
+            if (!byTactic[tactic]) {
+                byTactic[tactic] = { total: 0, covered: 0, percentage: 0 };
+            }
+            byTactic[tactic].total++;
+            if (detectionCount > 0) {
+                byTactic[tactic].covered++;
+            }
+        }
+    }
+    // Calculate percentages
+    for (const tactic of Object.keys(byTactic)) {
+        byTactic[tactic].percentage = byTactic[tactic].total > 0
+            ? Math.round((byTactic[tactic].covered / byTactic[tactic].total) * 100)
+            : 0;
+    }
+    const totalTechniques = rows.length;
+    const coveragePercentage = totalTechniques > 0
+        ? Math.round((covered.length / totalTechniques) * 100)
+        : 0;
+    return {
+        actor,
+        total_techniques: totalTechniques,
+        covered_count: covered.length,
+        gap_count: gaps.length,
+        coverage_percentage: coveragePercentage,
+        covered_techniques: covered,
+        gap_techniques: gaps,
+        by_tactic: byTactic,
+    };
+}
+/**
+ * Get all software used by a specific actor.
+ */
+export function getSoftwareForActor(actorId) {
+    const database = getDb();
+    // STIX models actor→software as "uses" relationships too,
+    // but we only stored actor→technique and software→technique.
+    // So we find software that shares techniques with this actor.
+    const rows = database.prepare(`
+    SELECT DISTINCT s.*
+    FROM attack_software s
+    JOIN software_techniques st ON s.software_id = st.software_id
+    WHERE st.technique_id IN (
+      SELECT technique_id FROM actor_techniques WHERE actor_id = ?
+    )
+    ORDER BY s.name
+  `).all(actorId);
+    return rows.map(rowToSoftware);
+}
+/**
+ * Get all threat actors that use a specific technique.
+ */
+export function getTechniqueActors(techniqueId) {
+    const database = getDb();
+    const rows = database.prepare(`
+    SELECT a.*
+    FROM attack_actors a
+    JOIN actor_techniques at ON a.actor_id = at.actor_id
+    WHERE at.technique_id = ?
+    ORDER BY a.name
+  `).all(techniqueId);
+    return rows.map(rowToActor);
+}
+/**
+ * Get a technique from the ATT&CK catalog.
+ */
+export function getAttackTechnique(techniqueId) {
+    const database = getDb();
+    const row = database.prepare('SELECT * FROM attack_techniques WHERE technique_id = ?').get(techniqueId);
+    return row ? rowToTechnique(row) : null;
+}
+/**
+ * Get total counts for ATT&CK data.
+ */
+export function getAttackStats() {
+    const database = getDb();
+    try {
+        const techniques = database.prepare('SELECT COUNT(*) as c FROM attack_techniques').get().c;
+        const actors = database.prepare('SELECT COUNT(*) as c FROM attack_actors').get().c;
+        const software = database.prepare('SELECT COUNT(*) as c FROM attack_software').get().c;
+        const actorLinks = database.prepare('SELECT COUNT(*) as c FROM actor_techniques').get().c;
+        const swLinks = database.prepare('SELECT COUNT(*) as c FROM software_techniques').get().c;
+        return {
+            techniques,
+            actors,
+            software,
+            actor_technique_links: actorLinks,
+            software_technique_links: swLinks,
+        };
+    }
+    catch {
+        return { techniques: 0, actors: 0, software: 0, actor_technique_links: 0, software_technique_links: 0 };
+    }
+}

package/dist/db/detections.d.ts

@@ -62,6 +62,7 @@ export interface NavigatorLayerOptions {
     source_type?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql';
     tactic?: string;
     severity?: string;
+    actor_name?: string;
 }
 export interface DetectionListItem {
     name: string;
@@ -196,6 +197,34 @@ export declare function suggestDetections(techniqueId: string, sourceType?: 'sig
  * Generate an ATT&CK Navigator layer from detection coverage.
  */
 export declare function generateNavigatorLayer(options: NavigatorLayerOptions): object;
+/**
+ * Auto-extract procedure reference data from detections for a technique.
+ * Clusters detections by behavioral category and generates procedure entries.
+ */
+export declare function autoExtractProcedures(techniqueId: string): {
+    technique_id: string;
+    procedures_generated: number;
+    detection_count: number;
+};
+/**
+ * Extract procedures for ALL techniques in the database.
+ * Loads hand-curated procedures first, then auto-extracts for the rest.
+ * Called after indexing completes.
+ */
+export declare function extractAllProcedures(): {
+    techniques_processed: number;
+    procedures_generated: number;
+    hand_curated_loaded: number;
+};
+/**
+ * Populate detection_techniques and technique_tactics junction tables
+ * from existing detection data. Runs as a post-indexing bulk operation
+ * in a single transaction for performance.
+ */
+export declare function populateJunctionTables(): {
+    detection_techniques: number;
+    technique_tactics: number;
+};
 /**
  * Search detections returning only name, ID, and basic info.
  */