security-detections-mcp 3.1.0 → 3.2.0

package/dist/db/detections.js

@@ -175,10 +175,28 @@ export function listBySource(sourceType, limit = 100, offset = 0) {
  */
 export function listByMitre(techniqueId, limit = 100, offset = 0) {
     const database = getDb();
+    // Try junction table first (indexed join — faster)
+    try {
+        const check = database.prepare('SELECT 1 FROM detection_techniques LIMIT 1').get();
+        if (check) {
+            const rows = database.prepare(`
+        SELECT d.* FROM detections d
+        JOIN detection_techniques dt ON d.id = dt.detection_id
+        WHERE dt.technique_id = ?
+        ORDER BY d.name
+        LIMIT ? OFFSET ?
+      `).all(techniqueId, limit, offset);
+            return rows.map(rowToDetection);
+        }
+    }
+    catch {
+        // Junction table may not exist yet — fall through to LIKE query
+    }
+    // Fallback: original LIKE-based query
     const stmt = database.prepare(`
-    SELECT * FROM detections 
-    WHERE mitre_ids LIKE ? 
-    ORDER BY name 
+    SELECT * FROM detections
+    WHERE mitre_ids LIKE ?
+    ORDER BY name
     LIMIT ? OFFSET ?
   `);
     const rows = stmt.all(`%"${techniqueId}"%`, limit, offset);
@@ -624,13 +642,42 @@ export function analyzeCoverage(sourceType) {
             }
         }
     }
-    const tacticTotals = {
-        'reconnaissance': 10, 'resource-development': 8, 'initial-access': 10,
-        'execution': 14, 'persistence': 20, 'privilege-escalation': 14,
-        'defense-evasion': 43, 'credential-access': 17, 'discovery': 31,
-        'lateral-movement': 9, 'collection': 17, 'command-and-control': 18,
-        'exfiltration': 9, 'impact': 14
-    };
+    // Try dynamic tactic totals from technique_tactics table (populated from STIX or detections)
+    let tacticTotals;
+    try {
+        const ttRows = database.prepare('SELECT tactic_name, COUNT(DISTINCT technique_id) as count FROM technique_tactics GROUP BY tactic_name').all();
+        if (ttRows.length > 0) {
+            tacticTotals = {};
+            for (const row of ttRows) {
+                tacticTotals[row.tactic_name] = row.count;
+            }
+            // Ensure all 14 tactics are present
+            for (const t of allTactics) {
+                if (!tacticTotals[t])
+                    tacticTotals[t] = 1;
+            }
+        }
+        else {
+            // Fallback to hardcoded if junction table is empty
+            tacticTotals = {
+                'reconnaissance': 10, 'resource-development': 8, 'initial-access': 10,
+                'execution': 14, 'persistence': 20, 'privilege-escalation': 14,
+                'defense-evasion': 43, 'credential-access': 17, 'discovery': 31,
+                'lateral-movement': 9, 'collection': 17, 'command-and-control': 18,
+                'exfiltration': 9, 'impact': 14
+            };
+        }
+    }
+    catch {
+        // Table may not exist — fallback to hardcoded
+        tacticTotals = {
+            'reconnaissance': 10, 'resource-development': 8, 'initial-access': 10,
+            'execution': 14, 'persistence': 20, 'privilege-escalation': 14,
+            'defense-evasion': 43, 'credential-access': 17, 'discovery': 31,
+            'lateral-movement': 9, 'collection': 17, 'command-and-control': 18,
+            'exfiltration': 9, 'impact': 14
+        };
+    }
     const coverageByTactic = {};
     for (const tactic of allTactics) {
         const covered = tacticCounts[tactic].size;
@@ -745,12 +792,47 @@ export function suggestDetections(techniqueId, sourceType) {
  * Generate an ATT&CK Navigator layer from detection coverage.
  */
 export function generateNavigatorLayer(options) {
-    const techniqueIds = getTechniqueIds({
+    const database = getDb();
+    // If actor_name is specified, filter to only that actor's techniques
+    let actorTechniqueFilter = null;
+    if (options.actor_name) {
+        try {
+            // Dynamic import would be circular — query directly
+            const actorRow = database.prepare('SELECT actor_id FROM attack_actors WHERE name = ? COLLATE NOCASE').get(options.actor_name);
+            if (!actorRow) {
+                // Try alias match
+                const aliasRow = database.prepare("SELECT actor_id FROM attack_actors WHERE aliases LIKE ? COLLATE NOCASE").get(`%"${options.actor_name}"%`);
+                if (aliasRow) {
+                    const actorTechs = database.prepare('SELECT technique_id FROM actor_techniques WHERE actor_id = ?').all(aliasRow.actor_id);
+                    actorTechniqueFilter = new Set(actorTechs.map(r => r.technique_id));
+                }
+            }
+            else {
+                const actorTechs = database.prepare('SELECT technique_id FROM actor_techniques WHERE actor_id = ?').all(actorRow.actor_id);
+                actorTechniqueFilter = new Set(actorTechs.map(r => r.technique_id));
+            }
+        }
+        catch {
+            // STIX tables may not exist — ignore actor filter
+        }
+    }
+    let techniqueIds = getTechniqueIds({
         source_type: options.source_type,
         tactic: options.tactic,
         severity: options.severity,
     });
-    const database = getDb();
+    // For actor layers, include ALL actor techniques (even uncovered ones)
+    if (actorTechniqueFilter) {
+        const coveredSet = new Set(techniqueIds);
+        // Merge: keep covered ones + add uncovered actor techniques
+        for (const actorTech of actorTechniqueFilter) {
+            if (!coveredSet.has(actorTech)) {
+                techniqueIds.push(actorTech);
+            }
+        }
+        // Filter to only actor techniques
+        techniqueIds = techniqueIds.filter(t => actorTechniqueFilter.has(t));
+    }
     const techniques = [];
     function getColorForScore(score) {
         if (score >= 80)
@@ -776,11 +858,13 @@ export function generateNavigatorLayer(options) {
         }
         const count = database.prepare(countSql).get(...countParams).count;
         const score = Math.min(count * 20, 100);
+        // For actor layers, uncovered techniques show as red with score 0
+        const isActorGap = actorTechniqueFilter && count === 0;
         techniques.push({
             techniqueID: techId,
             score,
-            comment: `${count} detection(s)`,
-            color: getColorForScore(score),
+            comment: isActorGap ? 'GAP - no detections' : `${count} detection(s)`,
+            color: isActorGap ? '#ff6666' : getColorForScore(score),
             enabled: true,
             showSubtechniques: false,
         });
@@ -788,8 +872,8 @@ export function generateNavigatorLayer(options) {
     return {
         name: options.name,
         versions: {
-            attack: '18',
-            navigator: '5.1.0',
+            attack: '18.1',
+            navigator: '5.3.1',
             layer: '4.5',
         },
         domain: 'enterprise-attack',
@@ -815,6 +899,243 @@ export function generateNavigatorLayer(options) {
     };
 }
 // =============================================================================
+// PROCEDURE AUTO-EXTRACTION
+// =============================================================================
+const BEHAVIOR_KEYWORDS = [
+    'encoded command', 'base64', 'download', 'credential', 'dump', 'inject', 'hollow',
+    'obfuscat', 'bypass', 'evasion', 'persist', 'lateral', 'remote', 'scheduled task',
+    'service', 'registry', 'startup', 'script block', 'amsi', 'wmi', 'powershell',
+    'mimikatz', 'lsass', 'shadow cop', 'ransomware', 'encrypt', 'exfiltrat', 'tunnel',
+    'beacon', 'c2', 'command and control', 'brute force', 'spray', 'kerbero',
+    'pass the hash', 'pass the ticket', 'golden ticket', 'dcsync', 'ntds',
+    'dll side', 'dll hijack', 'process access', 'remote thread', 'token', 'impersonat',
+    'privilege', 'parent process', 'child process', 'masquerad', 'macro', 'office',
+    'phish', 'attachment', 'email', 'dns', 'http', 'clear log', 'event log', 'tamper',
+    'suspicious', 'anomal', 'unusual', 'cloud', 'aws', 'azure', 'container', 'kubernetes',
+    'api', 'oauth', 'saml', 'driver', 'kernel', 'named pipe', 'shellcode', 'reflection',
+];
+function categorizeDetection(text, logsourceCategory) {
+    if (logsourceCategory === 'process_creation' || (text.includes('process') && text.includes('creat')))
+        return 'process_creation_monitoring';
+    if (logsourceCategory === 'process_access' || text.includes('process access'))
+        return 'process_access_monitoring';
+    if (logsourceCategory.includes('registry') || text.includes('registry'))
+        return 'registry_monitoring';
+    if (logsourceCategory.includes('file') || text.includes('file creat') || text.includes('file modif'))
+        return 'file_monitoring';
+    if (logsourceCategory === 'network_connection' || text.includes('network') || text.includes('connection'))
+        return 'network_connection_monitoring';
+    if (logsourceCategory === 'image_load' || text.includes('image load') || text.includes('dll load'))
+        return 'module_load_monitoring';
+    if (text.includes('commandline') || text.includes('command line'))
+        return 'command_line_monitoring';
+    if (text.includes('script'))
+        return 'script_execution_monitoring';
+    if (text.includes('authenti') || text.includes('logon') || text.includes('login'))
+        return 'authentication_monitoring';
+    if (text.includes('service') && (text.includes('creat') || text.includes('install')))
+        return 'service_monitoring';
+    if (text.includes('email') || text.includes('phish') || text.includes('spam'))
+        return 'email_security';
+    if (text.includes('cloud') || text.includes('aws') || text.includes('azure'))
+        return 'cloud_monitoring';
+    if (text.includes('driver') || text.includes('kernel'))
+        return 'kernel_monitoring';
+    return 'general_monitoring';
+}
+/**
+ * Auto-extract procedure reference data from detections for a technique.
+ * Clusters detections by behavioral category and generates procedure entries.
+ */
+export function autoExtractProcedures(techniqueId) {
+    const database = getDb();
+    const detections = listByMitre(techniqueId, 1000);
+    if (detections.length === 0)
+        return { technique_id: techniqueId, procedures_generated: 0, detection_count: 0 };
+    // Extract keyword frequencies
+    const kwFreq = new Map();
+    for (const d of detections) {
+        const desc = (d.description || '').toLowerCase();
+        for (const kw of BEHAVIOR_KEYWORDS) {
+            if (desc.includes(kw))
+                kwFreq.set(kw, (kwFreq.get(kw) || 0) + 1);
+        }
+    }
+    // Group detections by category + dominant keyword
+    const groups = {};
+    for (const d of detections) {
+        const text = ((d.description || '') + ' ' + (d.query || '') + ' ' + (d.name || '')).toLowerCase();
+        const category = categorizeDetection(text, d.logsource_category || '');
+        let bestKw = null;
+        const desc = (d.description || '').toLowerCase();
+        for (const [kw, count] of kwFreq.entries()) {
+            if (desc.includes(kw) && count >= 2 && count < detections.length * 0.8) {
+                if (!bestKw || (kwFreq.get(bestKw) || 0) > count)
+                    bestKw = kw;
+            }
+        }
+        const key = `${category}:${bestKw || 'general'}`;
+        if (!groups[key])
+            groups[key] = { category, keyword: bestKw, names: [], processNames: new Set(), keywords: new Set() };
+        const g = groups[key];
+        g.names.push(d.name);
+        for (const pn of d.process_names || [])
+            g.processNames.add(pn.toLowerCase());
+        if (bestKw)
+            g.keywords.add(bestKw);
+    }
+    // Convert to procedure entries and store
+    database.exec(`DELETE FROM procedure_reference WHERE technique_id = '${techniqueId.replace(/'/g, "''")}' AND source = 'auto'`);
+    const insertStmt = database.prepare(`INSERT OR REPLACE INTO procedure_reference (id, technique_id, name, category, description, source, indicators, detection_count, confidence)
+     VALUES (?, ?, ?, ?, ?, 'auto', ?, ?, ?)`);
+    let idx = 0;
+    for (const [, g] of Object.entries(groups)) {
+        const name = g.keyword
+            ? g.keyword.split(' ').map(w => w.charAt(0).toUpperCase() + w.slice(1)).join(' ')
+            : g.category.replace(/_/g, ' ').split(' ').map(w => w.charAt(0).toUpperCase() + w.slice(1)).join(' ');
+        const indicators = {};
+        if (g.processNames.size > 0)
+            indicators.process_names = [...g.processNames].slice(0, 10);
+        if (g.keywords.size > 0)
+            indicators.description_keywords = [...g.keywords].slice(0, 10);
+        // Extract command patterns from queries
+        const cmdPats = new Set();
+        const groupDets = detections.filter(det => g.names.includes(det.name));
+        for (const d of groupDets) {
+            if (d.query) {
+                const literals = d.query.toLowerCase().match(/['"]([^'"]{3,40})['"]/g);
+                if (literals) {
+                    for (const lit of literals.slice(0, 10)) {
+                        const val = lit.replace(/['"]/g, '').trim();
+                        if (val.length >= 3 && !/^(and|or|not|true|false|null|none|string|type|object|select|from|where|index|name|value|count|table|status|data|endpoint|query|result|search|action|field|source|level|any|all|list|set|process|rule|detection|sigma)$/i.test(val)) {
+                            cmdPats.add(val);
+                        }
+                    }
+                }
+            }
+        }
+        if (cmdPats.size > 0)
+            indicators.command_patterns = [...cmdPats].slice(0, 15);
+        const confidence = g.names.length >= 10 ? 0.9 : g.names.length >= 5 ? 0.7 : g.names.length >= 3 ? 0.5 : 0.3;
+        insertStmt.run(`${techniqueId}-auto-${idx++}`, techniqueId, name, g.category, `Auto-extracted: ${g.names.length} detections for ${g.keyword || g.category.replace(/_/g, ' ')}`, JSON.stringify(indicators), g.names.length, confidence);
+    }
+    // Fallback: if clustering produced nothing, create a single procedure from all detections
+    if (idx === 0 && detections.length > 0) {
+        const allProcessNames = new Set();
+        const allKeywords = new Set();
+        for (const d of detections) {
+            for (const pn of d.process_names || [])
+                allProcessNames.add(pn.toLowerCase());
+            const desc = (d.description || '').toLowerCase();
+            for (const kw of BEHAVIOR_KEYWORDS) {
+                if (desc.includes(kw))
+                    allKeywords.add(kw);
+            }
+        }
+        const fallbackIndicators = {};
+        if (allProcessNames.size > 0)
+            fallbackIndicators.process_names = [...allProcessNames].slice(0, 10);
+        if (allKeywords.size > 0)
+            fallbackIndicators.description_keywords = [...allKeywords].slice(0, 10);
+        insertStmt.run(`${techniqueId}-auto-0`, techniqueId, `${techniqueId} Detection`, detections[0]?.logsource_category || 'general_monitoring', `Auto-extracted: ${detections.length} detection(s)`, JSON.stringify(fallbackIndicators), detections.length, detections.length >= 3 ? 0.5 : 0.2);
+        idx = 1;
+    }
+    return { technique_id: techniqueId, procedures_generated: idx, detection_count: detections.length };
+}
+/**
+ * Extract procedures for ALL techniques in the database.
+ * Loads hand-curated procedures first, then auto-extracts for the rest.
+ * Called after indexing completes.
+ */
+export function extractAllProcedures() {
+    const database = getDb();
+    // Ensure table exists
+    database.exec(`
+    CREATE TABLE IF NOT EXISTS procedure_reference (
+      id TEXT PRIMARY KEY, technique_id TEXT NOT NULL, name TEXT NOT NULL,
+      category TEXT NOT NULL, description TEXT NOT NULL, source TEXT NOT NULL DEFAULT 'auto',
+      indicators TEXT NOT NULL, detection_count INTEGER DEFAULT 0,
+      confidence REAL DEFAULT 1.0, created_at TEXT DEFAULT CURRENT_TIMESTAMP
+    )
+  `);
+    database.exec(`CREATE INDEX IF NOT EXISTS idx_proc_ref_technique ON procedure_reference(technique_id)`);
+    // Load hand-curated procedures
+    let handCuratedCount = 0;
+    try {
+        // Dynamic import isn't available in this context, so we use require-style
+        // The hand-curated data is imported statically by the tools layer
+        // Here we just ensure we don't overwrite hand-curated entries
+        database.exec(`DELETE FROM procedure_reference WHERE source = 'auto'`);
+    }
+    catch {
+        // Table may not exist yet, that's fine
+    }
+    // Get all technique IDs from the database
+    const allMitreRows = database.prepare(`SELECT DISTINCT mitre_ids FROM detections WHERE mitre_ids IS NOT NULL AND mitre_ids != '[]'`).all();
+    const allTechIds = new Set();
+    for (const row of allMitreRows) {
+        try {
+            const ids = JSON.parse(row.mitre_ids);
+            for (const id of ids)
+                allTechIds.add(id);
+        }
+        catch { /* skip */ }
+    }
+    // Check which techniques already have hand-curated entries
+    const handCuratedTechIds = new Set();
+    try {
+        const hcRows = database.prepare(`SELECT DISTINCT technique_id FROM procedure_reference WHERE source = 'hand_curated'`).all();
+        for (const row of hcRows)
+            handCuratedTechIds.add(row.technique_id);
+        handCuratedCount = hcRows.length;
+    }
+    catch { /* table might not have hand_curated entries yet */ }
+    let processed = 0;
+    let totalProcs = 0;
+    for (const techId of allTechIds) {
+        if (handCuratedTechIds.has(techId))
+            continue; // skip hand-curated techniques
+        const result = autoExtractProcedures(techId);
+        if (result.procedures_generated > 0) {
+            processed++;
+            totalProcs += result.procedures_generated;
+        }
+    }
+    return { techniques_processed: processed, procedures_generated: totalProcs, hand_curated_loaded: handCuratedCount };
+}
+// =============================================================================
+// JUNCTION TABLE POPULATION
+// =============================================================================
+/**
+ * Populate detection_techniques and technique_tactics junction tables
+ * from existing detection data. Runs as a post-indexing bulk operation
+ * in a single transaction for performance.
+ */
+export function populateJunctionTables() {
+    const database = getDb();
+    const rows = database.prepare("SELECT id, mitre_ids, mitre_tactics FROM detections WHERE mitre_ids IS NOT NULL AND mitre_ids != '[]'").all();
+    const dtStmt = database.prepare('INSERT OR IGNORE INTO detection_techniques (detection_id, technique_id) VALUES (?, ?)');
+    const ttStmt = database.prepare("INSERT OR IGNORE INTO technique_tactics (technique_id, tactic_name, source) VALUES (?, ?, 'detection')");
+    let dtCount = 0;
+    let ttCount = 0;
+    const batch = database.transaction(() => {
+        for (const row of rows) {
+            const ids = safeJsonParse(row.mitre_ids, []);
+            const tactics = safeJsonParse(row.mitre_tactics, []);
+            for (const techId of ids) {
+                dtStmt.run(row.id, techId);
+                dtCount++;
+                for (const tactic of tactics) {
+                    ttStmt.run(techId, tactic);
+                    ttCount++;
+                }
+            }
+        }
+    });
+    batch();
+    return { detection_techniques: dtCount, technique_tactics: ttCount };
+}
+// =============================================================================
 // LIGHTWEIGHT LIST FUNCTIONS
 // =============================================================================
 /**

package/dist/db/index.d.ts

@@ -6,8 +6,9 @@
  */
 export { getDbPath, getCacheDir, initDb, getDb, clearDb, recreateDb, dbExists, closeDb, } from './connection.js';
 export { createSchema, createSavedQueriesTable, } from './schema.js';
-export { type ValidationResult, type TechniqueIdFilters, type CoverageReport, type GapAnalysis, type DetectionSuggestion, type NavigatorLayerOptions, type DetectionListItem, type SourceComparisonResult, insertDetection, getDetectionById, getRawYaml, getDetectionCount, searchDetections, listDetections, listBySource, listByMitre, listByLogsource, listBySeverity, listByCve, listByAnalyticStory, listByProcessName, listByDetectionType, listByDataSource, listByKqlCategory, listByKqlTag, listByKqlDatasource, listByMitreTactic, getStats, getDistinctTechniqueIds, getDistinctCves, getDistinctProcessNames, validateTechniqueId, getTechniqueIds, analyzeCoverage, identifyGaps, suggestDetections, generateNavigatorLayer, searchDetectionList, listDetectionsBySourceLight, compareDetectionsBySource, getDetectionNamesByPattern, countDetectionsBySource, } from './detections.js';
+export { type ValidationResult, type TechniqueIdFilters, type CoverageReport, type GapAnalysis, type DetectionSuggestion, type NavigatorLayerOptions, type DetectionListItem, type SourceComparisonResult, insertDetection, getDetectionById, getRawYaml, getDetectionCount, searchDetections, listDetections, listBySource, listByMitre, listByLogsource, listBySeverity, listByCve, listByAnalyticStory, listByProcessName, listByDetectionType, listByDataSource, listByKqlCategory, listByKqlTag, listByKqlDatasource, listByMitreTactic, getStats, getDistinctTechniqueIds, getDistinctCves, getDistinctProcessNames, validateTechniqueId, getTechniqueIds, analyzeCoverage, identifyGaps, suggestDetections, generateNavigatorLayer, autoExtractProcedures, extractAllProcedures, populateJunctionTables, searchDetectionList, listDetectionsBySourceLight, compareDetectionsBySource, getDetectionNamesByPattern, countDetectionsBySource, } from './detections.js';
 export { insertStory, getStoryByName, getStoryById, getStoryCount, searchStories, listStories, listStoriesByCategory, } from './stories.js';
 export { initSavedQueriesTable, saveQueryResult, getSavedQuery, listSavedQueries, deleteSavedQuery, cleanupExpiredQueries, getSavedQueryById, } from './cache.js';
 export { initDynamicSchema, createDynamicTable, getTableMetadata, listDynamicTables, dropDynamicTable, insertDynamicRow, insertDynamicRows, queryDynamicTable, deleteDynamicRows, getDynamicRow, PREBUILT_TABLES, } from './dynamic.js';
 export { type PatternData, type FieldReference, type StyleConvention, type TechniquePatterns, type ExtractionResult, initPatternsSchema, storePattern, storeFieldReference, storeStyleConvention, getPatternsByTechnique, getFieldReference, getStyleConventions, getMacroReference, extractSPLPatterns, extractSigmaPatterns, extractKQLPatterns, extractElasticPatterns, extractFieldUsage, extractMacroUsage, extractNamingConventions, extractAllPatterns, getPatternStats, } from './patterns.js';
+export { type AttackActor, type AttackTechnique, type AttackSoftware, type ActorTechnique, type ActorCoverageResult, type ActorListItem, isStixLoaded, getActorByName, listActors, getActorTechniques, getActorCoverage, getSoftwareForActor, getTechniqueActors, getAttackTechnique, getAttackStats, } from './attack.js';

package/dist/db/index.js

@@ -28,6 +28,10 @@ getDistinctTechniqueIds, getDistinctCves, getDistinctProcessNames,
 validateTechniqueId, 
 // Coverage Analysis
 getTechniqueIds, analyzeCoverage, identifyGaps, suggestDetections, generateNavigatorLayer, 
+// Procedure Extraction
+autoExtractProcedures, extractAllProcedures, 
+// Junction Tables
+populateJunctionTables, 
 // Lightweight Lists
 searchDetectionList, listDetectionsBySourceLight, compareDetectionsBySource, getDetectionNamesByPattern, countDetectionsBySource, } from './detections.js';
 // =============================================================================
@@ -56,3 +60,9 @@ getPatternsByTechnique, getFieldReference, getStyleConventions, getMacroReferenc
 extractSPLPatterns, extractSigmaPatterns, extractKQLPatterns, extractElasticPatterns, extractFieldUsage, extractMacroUsage, extractNamingConventions, extractAllPatterns, 
 // Stats
 getPatternStats, } from './patterns.js';
+// =============================================================================
+// ATT&CK DATA (STIX-sourced)
+// =============================================================================
+export { 
+// Queries
+isStixLoaded, getActorByName, listActors, getActorTechniques, getActorCoverage, getSoftwareForActor, getTechniqueActors, getAttackTechnique, getAttackStats, } from './attack.js';

package/dist/db/procedure-reference.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Procedure-Level Reference Data for MITRE ATT&CK Techniques
+ *
+ * Hand-curated: 16 techniques (high-confidence indicators)
+ * Auto-extracted: 472 techniques (behavioral clustering)
+ * Total: 488 techniques, 2374 procedures
+ *
+ * Sources: 8,295 community detection rules (Sigma, Splunk ESCU, Elastic, KQL, Sublime, CQL)
+ */
+export interface TechniqueProcedure {
+    id: string;
+    name: string;
+    category: string;
+    description: string;
+    indicators: {
+        process_names?: string[];
+        command_patterns?: string[];
+        registry_paths?: string[];
+        file_paths?: string[];
+        event_ids?: string[];
+        description_keywords?: string[];
+        field_patterns?: string[];
+    };
+}
+export declare const PROCEDURE_REFERENCE: Record<string, TechniqueProcedure[]>;
+export declare function getTechniquesWithProcedures(): string[];
+export declare function getProceduresForTechnique(techniqueId: string): TechniqueProcedure[] | null;
+export declare const HAND_CURATED_TECHNIQUES: string[];