security-detections-mcp 3.1.1 → 3.2.0

package/dist/db/schema.js

@@ -17,6 +17,9 @@ export function createSchema(db) {
     createStoriesFts(db);
     createStoriesTriggers(db);
     createStoriesIndexes(db);
+    createProcedureReferenceTable(db);
+    createJunctionTables(db);
+    createAttackTables(db);
 }
 /**
  * Create the main detections table with all enhanced fields.
@@ -198,6 +201,28 @@ function createStoriesTriggers(db) {
 function createStoriesIndexes(db) {
     db.exec(`CREATE INDEX IF NOT EXISTS idx_story_category ON stories(category)`);
 }
+/**
+ * Create the procedure_reference table for storing auto-extracted
+ * and hand-curated procedure-level ATT&CK coverage data.
+ */
+function createProcedureReferenceTable(db) {
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS procedure_reference (
+      id TEXT PRIMARY KEY,
+      technique_id TEXT NOT NULL,
+      name TEXT NOT NULL,
+      category TEXT NOT NULL,
+      description TEXT NOT NULL,
+      source TEXT NOT NULL DEFAULT 'auto',
+      indicators TEXT NOT NULL,
+      detection_count INTEGER DEFAULT 0,
+      confidence REAL DEFAULT 1.0,
+      created_at TEXT DEFAULT CURRENT_TIMESTAMP
+    )
+  `);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_proc_ref_technique ON procedure_reference(technique_id)`);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_proc_ref_source ON procedure_reference(source)`);
+}
 /**
  * Create the saved queries table for caching.
  * Called on-demand when first accessed.
@@ -217,3 +242,92 @@ export function createSavedQueriesTable(db) {
     db.exec(`CREATE INDEX IF NOT EXISTS idx_saved_query_type ON saved_queries(query_type)`);
     db.exec(`CREATE INDEX IF NOT EXISTS idx_saved_query_name ON saved_queries(name)`);
 }
+/**
+ * Create junction tables for materialized many-to-many relationships.
+ * Replaces JSON LIKE scans with indexed JOINs.
+ */
+function createJunctionTables(db) {
+    // Detection → Technique many-to-many
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS detection_techniques (
+      detection_id TEXT NOT NULL,
+      technique_id TEXT NOT NULL,
+      PRIMARY KEY (detection_id, technique_id)
+    )
+  `);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_dt_technique ON detection_techniques(technique_id)`);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_dt_detection ON detection_techniques(detection_id)`);
+    // Technique → Tactic many-to-many (populated from detections + STIX)
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS technique_tactics (
+      technique_id TEXT NOT NULL,
+      tactic_name TEXT NOT NULL,
+      source TEXT NOT NULL DEFAULT 'detection',
+      PRIMARY KEY (technique_id, tactic_name)
+    )
+  `);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_tt_tactic ON technique_tactics(tactic_name)`);
+}
+/**
+ * Create tables for MITRE ATT&CK STIX data (threat actors, software, techniques).
+ * Populated from enterprise-attack.json when ATTACK_STIX_PATH is configured.
+ */
+function createAttackTables(db) {
+    // Full ATT&CK technique catalog from STIX
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS attack_techniques (
+      technique_id TEXT PRIMARY KEY,
+      name TEXT NOT NULL,
+      description TEXT,
+      platforms TEXT,
+      data_sources TEXT,
+      is_subtechnique INTEGER DEFAULT 0,
+      parent_technique_id TEXT,
+      url TEXT
+    )
+  `);
+    // Threat actor catalog from STIX intrusion-sets
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS attack_actors (
+      actor_id TEXT PRIMARY KEY,
+      name TEXT NOT NULL,
+      aliases TEXT,
+      description TEXT,
+      external_references TEXT,
+      created TEXT,
+      modified TEXT
+    )
+  `);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_actor_name ON attack_actors(name)`);
+    // Software (malware + tools) from STIX
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS attack_software (
+      software_id TEXT PRIMARY KEY,
+      name TEXT NOT NULL,
+      software_type TEXT,
+      description TEXT,
+      platforms TEXT,
+      aliases TEXT
+    )
+  `);
+    // Actor → Technique junction with procedure context
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS actor_techniques (
+      actor_id TEXT NOT NULL,
+      technique_id TEXT NOT NULL,
+      description TEXT,
+      PRIMARY KEY (actor_id, technique_id)
+    )
+  `);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_at_technique ON actor_techniques(technique_id)`);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_at_actor ON actor_techniques(actor_id)`);
+    // Software → Technique junction
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS software_techniques (
+      software_id TEXT NOT NULL,
+      technique_id TEXT NOT NULL,
+      description TEXT,
+      PRIMARY KEY (software_id, technique_id)
+    )
+  `);
+}

package/dist/db.d.ts

@@ -97,6 +97,7 @@ export interface NavigatorLayerOptions {
     source_type?: 'sigma' | 'splunk_escu' | 'elastic';
     tactic?: string;
     severity?: string;
+    actor_name?: string;
 }
 export declare function generateNavigatorLayer(options: NavigatorLayerOptions): object;
 export interface DetectionListItem {

package/dist/db.js

@@ -990,8 +990,8 @@ export function generateNavigatorLayer(options) {
     return {
         name: options.name,
         versions: {
-            attack: '18',
-            navigator: '5.1.0',
+            attack: '18.1',
+            navigator: '5.3.1',
             layer: '4.5',
         },
         domain: 'enterprise-attack',

package/dist/index.js

@@ -12,9 +12,10 @@
  */
 import { createServer, startServer } from './server.js';
 import { registerAllTools, getToolsSummary } from './tools/index.js';
-import { initDb } from './db/connection.js';
+import { initDb, closeDb } from './db/connection.js';
 import { indexDetections, needsIndexing } from './indexer.js';
 import { initPatternsSchema, getPatternStats } from './db/patterns.js';
+import { extractAllProcedures, populateJunctionTables } from './db/detections.js';
 // Parse comma-separated paths from env var
 function parsePaths(envVar) {
     if (!envVar)
@@ -29,6 +30,7 @@ const STORY_PATHS = parsePaths(process.env.STORY_PATHS);
 const KQL_PATHS = parsePaths(process.env.KQL_PATHS);
 const SUBLIME_PATHS = parsePaths(process.env.SUBLIME_PATHS);
 const CQL_HUB_PATHS = parsePaths(process.env.CQL_HUB_PATHS);
+const ATTACK_STIX_PATH = process.env.ATTACK_STIX_PATH;
 // Auto-index on startup if paths are configured and DB is empty
 function autoIndex() {
     if (SIGMA_PATHS.length === 0 && SPLUNK_PATHS.length === 0 && ELASTIC_PATHS.length === 0 && KQL_PATHS.length === 0 && SUBLIME_PATHS.length === 0 && CQL_HUB_PATHS.length === 0) {
@@ -44,6 +46,31 @@ function autoIndex() {
             msg += `, ${result.stories_indexed} stories`;
         }
         console.error(msg);
+        // Re-initialize connection after indexer's recreateDb
+        closeDb();
+        initDb();
+        // Auto-extract procedure reference data from indexed detections
+        console.error('[security-detections-mcp] Extracting procedure-level coverage data...');
+        const procResult = extractAllProcedures();
+        console.error(`[security-detections-mcp] Procedures: ${procResult.procedures_generated} procedures across ${procResult.techniques_processed} techniques`);
+        // Populate junction tables for fast relational queries
+        console.error('[security-detections-mcp] Populating junction tables...');
+        const junctionResult = populateJunctionTables();
+        console.error(`[security-detections-mcp] Junction tables: ${junctionResult.detection_techniques} detection-technique links, ${junctionResult.technique_tactics} technique-tactic links`);
+    }
+}
+// Ingest MITRE ATT&CK STIX data if path is configured
+async function ingestStixData() {
+    if (!ATTACK_STIX_PATH)
+        return;
+    try {
+        const { ingestStixBundle } = await import('./parsers/stix.js');
+        console.error(`[security-detections-mcp] Ingesting ATT&CK STIX data from ${ATTACK_STIX_PATH}...`);
+        const stixResult = ingestStixBundle(ATTACK_STIX_PATH);
+        console.error(`[security-detections-mcp] STIX: ${stixResult.techniques} techniques, ${stixResult.actors} actors, ${stixResult.software} software, ${stixResult.actor_technique_links} actor-technique links`);
+    }
+    catch (err) {
+        console.error(`[security-detections-mcp] STIX ingest failed: ${err instanceof Error ? err.message : String(err)}`);
     }
 }
 async function main() {
@@ -51,6 +78,8 @@ async function main() {
     initDb();
     // Auto-index if configured
     autoIndex();
+    // Ingest MITRE ATT&CK STIX data if configured
+    await ingestStixData();
     // Initialize patterns schema (Detection Engineering Intelligence)
     initPatternsSchema();
     const patternStats = getPatternStats();

package/dist/parsers/kql.js

@@ -95,8 +95,8 @@ function extractMitreTactics(mitreIds) {
 // Extract KQL queries from markdown code blocks
 function extractKqlQueries(content) {
     const queries = [];
-    // Match ```KQL or ```kql blocks
-    const kqlBlocks = content.matchAll(/```(?:KQL|kql)\s*\n([\s\S]*?)```/gi);
+    // Match ```KQL, ```kql, ```Kusto, or ```kusto blocks
+    const kqlBlocks = content.matchAll(/```(?:KQL|kql|Kusto|kusto)\s*\n([\s\S]*?)```/gi);
     for (const match of kqlBlocks) {
         const query = match[1].trim();
         if (query.length > 0) {

package/dist/parsers/stix.d.ts

@@ -0,0 +1,28 @@
+/**
+ * MITRE ATT&CK STIX 2.1 Bundle Parser
+ *
+ * Parses enterprise-attack.json to populate:
+ * - attack_techniques: Full technique catalog with metadata
+ * - attack_actors: Threat actor/intrusion-set catalog
+ * - attack_software: Malware and tool catalog
+ * - actor_techniques: Actor → Technique relationships
+ * - software_techniques: Software → Technique relationships
+ * - technique_tactics: Authoritative technique → tactic mappings
+ *
+ * Zero npm dependencies — pure JSON parsing.
+ */
+export interface StixIngestResult {
+    techniques: number;
+    actors: number;
+    software: number;
+    actor_technique_links: number;
+    software_technique_links: number;
+    technique_tactic_links: number;
+}
+/**
+ * Parse and ingest a MITRE ATT&CK STIX 2.1 bundle into the database.
+ *
+ * @param stixPath Path to enterprise-attack.json
+ * @returns Counts of ingested entities
+ */
+export declare function ingestStixBundle(stixPath: string): StixIngestResult;

package/dist/parsers/stix.js

@@ -0,0 +1,207 @@
+/**
+ * MITRE ATT&CK STIX 2.1 Bundle Parser
+ *
+ * Parses enterprise-attack.json to populate:
+ * - attack_techniques: Full technique catalog with metadata
+ * - attack_actors: Threat actor/intrusion-set catalog
+ * - attack_software: Malware and tool catalog
+ * - actor_techniques: Actor → Technique relationships
+ * - software_techniques: Software → Technique relationships
+ * - technique_tactics: Authoritative technique → tactic mappings
+ *
+ * Zero npm dependencies — pure JSON parsing.
+ */
+import { readFileSync } from 'fs';
+import { getDb } from '../db/connection.js';
+// =============================================================================
+// HELPERS
+// =============================================================================
+/**
+ * Extract the ATT&CK ID (e.g., T1059.001) from a STIX object's external references.
+ */
+function getAttackId(obj) {
+    if (!obj.external_references)
+        return null;
+    for (const ref of obj.external_references) {
+        if (ref.source_name === 'mitre-attack' && ref.external_id) {
+            return ref.external_id;
+        }
+    }
+    return null;
+}
+/**
+ * Extract the ATT&CK URL from external references.
+ */
+function getAttackUrl(obj) {
+    if (!obj.external_references)
+        return null;
+    for (const ref of obj.external_references) {
+        if (ref.source_name === 'mitre-attack' && ref.url) {
+            return ref.url;
+        }
+    }
+    return null;
+}
+/**
+ * Get parent technique ID from a sub-technique ID (e.g., T1059.001 → T1059).
+ */
+function getParentTechniqueId(techniqueId) {
+    const dotIndex = techniqueId.indexOf('.');
+    if (dotIndex === -1)
+        return null;
+    return techniqueId.substring(0, dotIndex);
+}
+/**
+ * Normalize STIX tactic phase names to the project's convention.
+ * STIX uses phase_name like "initial-access" which already matches.
+ */
+function normalizeTactic(phaseName) {
+    return phaseName.toLowerCase().replace(/ /g, '-');
+}
+// =============================================================================
+// MAIN INGEST FUNCTION
+// =============================================================================
+/**
+ * Parse and ingest a MITRE ATT&CK STIX 2.1 bundle into the database.
+ *
+ * @param stixPath Path to enterprise-attack.json
+ * @returns Counts of ingested entities
+ */
+export function ingestStixBundle(stixPath) {
+    const database = getDb();
+    // Read and parse the STIX bundle
+    const raw = readFileSync(stixPath, 'utf-8');
+    const bundle = JSON.parse(raw);
+    if (!bundle.objects || !Array.isArray(bundle.objects)) {
+        throw new Error('Invalid STIX bundle: missing objects array');
+    }
+    // =========================================================================
+    // PASS 1: Build lookup maps and categorize objects
+    // =========================================================================
+    const stixIdToAttackId = new Map(); // STIX ID → T1059.001
+    const stixIdToType = new Map(); // STIX ID → object type
+    const techniques = [];
+    const actors = [];
+    const software = [];
+    const relationships = [];
+    for (const obj of bundle.objects) {
+        // Skip revoked or deprecated objects
+        if (obj.revoked === true || obj.x_mitre_deprecated === true)
+            continue;
+        switch (obj.type) {
+            case 'attack-pattern': {
+                const attackId = getAttackId(obj);
+                if (attackId) {
+                    stixIdToAttackId.set(obj.id, attackId);
+                    stixIdToType.set(obj.id, 'technique');
+                    techniques.push(obj);
+                }
+                break;
+            }
+            case 'intrusion-set': {
+                stixIdToType.set(obj.id, 'actor');
+                actors.push(obj);
+                break;
+            }
+            case 'malware':
+            case 'tool': {
+                stixIdToType.set(obj.id, 'software');
+                software.push(obj);
+                break;
+            }
+            case 'relationship': {
+                if (obj.relationship_type === 'uses') {
+                    relationships.push(obj);
+                }
+                break;
+            }
+        }
+    }
+    // =========================================================================
+    // PASS 2: Insert entities in a transaction
+    // =========================================================================
+    const result = {
+        techniques: 0,
+        actors: 0,
+        software: 0,
+        actor_technique_links: 0,
+        software_technique_links: 0,
+        technique_tactic_links: 0,
+    };
+    const insertTransaction = database.transaction(() => {
+        // --- Techniques ---
+        const techStmt = database.prepare(`
+      INSERT OR REPLACE INTO attack_techniques
+      (technique_id, name, description, platforms, data_sources, is_subtechnique, parent_technique_id, url)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+        // Clear existing STIX-sourced technique_tactics before re-inserting
+        database.prepare("DELETE FROM technique_tactics WHERE source = 'stix'").run();
+        const ttStmt = database.prepare("INSERT OR REPLACE INTO technique_tactics (technique_id, tactic_name, source) VALUES (?, ?, 'stix')");
+        for (const tech of techniques) {
+            const attackId = getAttackId(tech);
+            const isSubtechnique = tech.x_mitre_is_subtechnique === true ? 1 : 0;
+            const parentId = getParentTechniqueId(attackId);
+            techStmt.run(attackId, tech.name || attackId, tech.description || null, tech.x_mitre_platforms ? JSON.stringify(tech.x_mitre_platforms) : null, tech.x_mitre_data_sources ? JSON.stringify(tech.x_mitre_data_sources) : null, isSubtechnique, parentId, getAttackUrl(tech));
+            result.techniques++;
+            // Insert technique → tactic mappings from kill_chain_phases
+            if (tech.kill_chain_phases) {
+                for (const phase of tech.kill_chain_phases) {
+                    if (phase.kill_chain_name === 'mitre-attack') {
+                        ttStmt.run(attackId, normalizeTactic(phase.phase_name));
+                        result.technique_tactic_links++;
+                    }
+                }
+            }
+        }
+        // --- Actors (Intrusion Sets) ---
+        const actorStmt = database.prepare(`
+      INSERT OR REPLACE INTO attack_actors
+      (actor_id, name, aliases, description, external_references, created, modified)
+      VALUES (?, ?, ?, ?, ?, ?, ?)
+    `);
+        for (const actor of actors) {
+            actorStmt.run(actor.id, actor.name || 'Unknown', actor.aliases ? JSON.stringify(actor.aliases) : null, actor.description || null, actor.external_references ? JSON.stringify(actor.external_references) : null, actor.created || null, actor.modified || null);
+            result.actors++;
+        }
+        // --- Software (Malware + Tools) ---
+        const swStmt = database.prepare(`
+      INSERT OR REPLACE INTO attack_software
+      (software_id, name, software_type, description, platforms, aliases)
+      VALUES (?, ?, ?, ?, ?, ?)
+    `);
+        for (const sw of software) {
+            swStmt.run(sw.id, sw.name || 'Unknown', sw.type, // 'malware' or 'tool'
+            sw.description || null, sw.x_mitre_platforms ? JSON.stringify(sw.x_mitre_platforms) : null, sw.aliases ? JSON.stringify(sw.aliases) : null);
+            result.software++;
+        }
+        // =====================================================================
+        // PASS 3: Process "uses" relationships
+        // =====================================================================
+        const actorTechStmt = database.prepare('INSERT OR REPLACE INTO actor_techniques (actor_id, technique_id, description) VALUES (?, ?, ?)');
+        const swTechStmt = database.prepare('INSERT OR REPLACE INTO software_techniques (software_id, technique_id, description) VALUES (?, ?, ?)');
+        for (const rel of relationships) {
+            if (!rel.source_ref || !rel.target_ref)
+                continue;
+            const sourceType = stixIdToType.get(rel.source_ref);
+            const targetAttackId = stixIdToAttackId.get(rel.target_ref);
+            // Only process relationships where the target is a known technique
+            if (!targetAttackId)
+                continue;
+            // Truncate description to avoid storing massive text
+            const desc = rel.description
+                ? rel.description.substring(0, 2000)
+                : null;
+            if (sourceType === 'actor') {
+                actorTechStmt.run(rel.source_ref, targetAttackId, desc);
+                result.actor_technique_links++;
+            }
+            else if (sourceType === 'software') {
+                swTechStmt.run(rel.source_ref, targetAttackId, desc);
+                result.software_technique_links++;
+            }
+        }
+    });
+    insertTransaction();
+    return result;
+}

package/dist/parsers/sublime.js

@@ -15,6 +15,46 @@ const TACTICS_MAP = {
     'macros': 'execution',
     'encryption': 'defense-evasion',
 };
+// Map Sublime attack_types and tactics_and_techniques to MITRE technique IDs
+const ATTACK_TYPE_TO_MITRE = {
+    'credential phishing': ['T1566', 'T1566.001', 'T1566.002', 'T1598'],
+    'bec/fraud': ['T1566.002', 'T1534', 'T1656'],
+    'malware/ransomware': ['T1566.001', 'T1204.002', 'T1486'],
+    'spam': ['T1566'],
+    'callback phishing': ['T1566.003', 'T1598'],
+    'extortion': ['T1486', 'T1657'],
+};
+const TACTIC_TO_MITRE = {
+    'social engineering': ['T1566', 'T1598'],
+    'impersonation: brand': ['T1566.002', 'T1598.003'],
+    'impersonation: employee': ['T1566.002', 'T1534'],
+    'impersonation: vip': ['T1566.002', 'T1534'],
+    'spoofing': ['T1566', 'T1598'],
+    'lookalike domain': ['T1583.001', 'T1566.002'],
+    'exploit': ['T1190', 'T1203'],
+    'macros': ['T1204.002', 'T1059.005'],
+    'scripting': ['T1059'],
+    'evasion': ['T1036', 'T1027'],
+    'encryption': ['T1027', 'T1573'],
+};
+function extractMitreIds(attackTypes, tactics) {
+    const ids = new Set();
+    if (attackTypes) {
+        for (const at of attackTypes) {
+            const mapped = ATTACK_TYPE_TO_MITRE[at.toLowerCase()];
+            if (mapped)
+                mapped.forEach(id => ids.add(id));
+        }
+    }
+    if (tactics) {
+        for (const t of tactics) {
+            const mapped = TACTIC_TO_MITRE[t.toLowerCase()];
+            if (mapped)
+                mapped.forEach(id => ids.add(id));
+        }
+    }
+    return [...ids];
+}
 // Generate a stable ID from file path and rule name
 function generateId(filePath, name) {
     const hash = createHash('sha256')
@@ -64,7 +104,7 @@ export function parseSublimeFile(filePath) {
             description: rule.description || '',
             query: rule.source,
             source_type: 'sublime',
-            mitre_ids: [],
+            mitre_ids: extractMitreIds(rule.attack_types, rule.tactics_and_techniques),
             logsource_category: 'email',
             logsource_product: 'email',
             logsource_service: null,

package/dist/resources/index.js

@@ -7,7 +7,7 @@
  * Static Resources: Fixed URIs returning current state
  * Resource Templates: Parameterized URIs for dynamic queries
  */
-import { getStats, analyzeCoverage, identifyGaps, listByMitre, listByMitreTactic, listBySource, } from '../db/index.js';
+import { getStats, analyzeCoverage, identifyGaps, listByMitre, listByMitreTactic, listBySource, generateNavigatorLayer, isStixLoaded, getActorByName, getActorCoverage, getActorTechniques, getSoftwareForActor, } from '../db/index.js';
 import { openEntity, listDecisions, listLearnings, getKnowledgeStats, } from '../db/knowledge.js';
 // =============================================================================
 // STATIC RESOURCES
@@ -50,6 +50,13 @@ export const resources = [
         description: 'Quick comparison of detection counts across sources (sigma, splunk, elastic, kql)',
         mimeType: 'application/json',
     },
+    // Navigator layer
+    {
+        uri: 'detection://navigator/layer',
+        name: 'ATT&CK Navigator Layer',
+        description: 'Full MITRE ATT&CK Navigator layer JSON with detection coverage heatmap. Import at https://mitre-attack.github.io/attack-navigator/',
+        mimeType: 'application/json',
+    },
     // Knowledge graph resources
     {
         uri: 'knowledge://graph/summary',
@@ -104,6 +111,18 @@ export const resourceTemplates = [
         description: 'Get complete knowledge graph entity details including relations and observations',
         mimeType: 'application/json',
     },
+    {
+        uriTemplate: 'detection://navigator/layer/{sourceType}',
+        name: 'Source-Filtered Navigator Layer',
+        description: 'ATT&CK Navigator layer filtered by detection source (sigma, splunk_escu, elastic, kql, sublime, crowdstrike_cql)',
+        mimeType: 'application/json',
+    },
+    {
+        uriTemplate: 'detection://navigator/actor/{actorName}',
+        name: 'Actor-Filtered Navigator Layer',
+        description: 'ATT&CK Navigator layer showing detection coverage for a specific threat actor\'s known techniques',
+        mimeType: 'application/json',
+    },
 ];
 // =============================================================================
 // RESOURCE LISTING
@@ -217,24 +236,61 @@ function getSourceResource(sourceType) {
     };
 }
 /**
- * Get threat actor profile from knowledge graph
+ * Get threat actor profile — checks STIX data first, falls back to knowledge graph
  */
 function getActorResource(actorName) {
+    // Try STIX-sourced data first (authoritative MITRE ATT&CK data)
+    try {
+        if (isStixLoaded()) {
+            const actor = getActorByName(actorName);
+            if (actor) {
+                const coverage = getActorCoverage(actor.actor_id);
+                const techniques = getActorTechniques(actor.actor_id);
+                const software = getSoftwareForActor(actor.actor_id);
+                return {
+                    actor_name: actor.name,
+                    found: true,
+                    source: 'mitre_attack_stix',
+                    aliases: actor.aliases,
+                    description: actor.description,
+                    technique_count: techniques.length,
+                    techniques: techniques.slice(0, 30).map((t) => ({
+                        technique_id: t.technique_id,
+                        name: t.technique_name,
+                        detection_count: t.detection_count,
+                        covered: t.detection_count > 0,
+                        tactics: t.tactics,
+                    })),
+                    software: software.slice(0, 20).map((s) => ({
+                        name: s.name,
+                        type: s.software_type,
+                    })),
+                    coverage_summary: {
+                        total: coverage.total_techniques,
+                        covered: coverage.covered_count,
+                        gaps: coverage.gap_count,
+                        percentage: coverage.coverage_percentage,
+                    },
+                };
+            }
+        }
+    }
+    catch {
+        // STIX tables may not exist — fall through to knowledge graph
+    }
+    // Fallback to knowledge graph
     const entityResult = openEntity(actorName);
     if (!entityResult || !entityResult.entity) {
         return {
             actor_name: actorName,
             found: false,
-            message: `No knowledge graph entry found for actor: ${actorName}`,
-            suggestion: 'Use knowledge graph tools to create an entity for this threat actor',
+            message: `No data found for actor: ${actorName}. Set ATTACK_STIX_PATH env var to load MITRE ATT&CK data, or use knowledge graph tools to create an entity manually.`,
         };
     }
     const { entity, relations, observations } = entityResult;
-    // Extract techniques from relations
     const techniques = relations.outgoing
         .filter((r) => r.relation_type === 'uses_technique' || r.relation_type === 'associated_with')
         .map((r) => r.to_entity);
-    // Extract related entities
     const relatedEntities = [
         ...relations.outgoing.map((r) => ({
             name: r.to_entity,
@@ -250,6 +306,7 @@ function getActorResource(actorName) {
     return {
         actor_name: entity.name,
         found: true,
+        source: 'knowledge_graph',
         entity_type: entity.entity_type,
         created_at: entity.created_at,
         techniques,
@@ -342,6 +399,8 @@ function getStaticResourceContent(uri) {
                 by_mitre_tactic: stats.by_mitre_tactic,
             };
         }
+        case 'detection://navigator/layer':
+            return generateNavigatorLayer({ name: 'Detection Coverage' });
         case 'knowledge://graph/summary':
             return getKnowledgeStats();
         case 'knowledge://decisions/recent': {
@@ -416,6 +475,20 @@ export async function readResource(uri) {
         content = getActorResource(actorName);
         return formatResourceResponse(uri, mimeType, content);
     }
+    // Actor Navigator layer template: detection://navigator/actor/{actorName}
+    const actorNavigatorMatch = uri.match(/^detection:\/\/navigator\/actor\/(.+)$/);
+    if (actorNavigatorMatch) {
+        const actorName = decodeURIComponent(actorNavigatorMatch[1]);
+        content = generateNavigatorLayer({ name: `${actorName} Coverage`, actor_name: actorName });
+        return formatResourceResponse(uri, mimeType, content);
+    }
+    // Navigator layer template: detection://navigator/layer/{sourceType}
+    const navigatorMatch = uri.match(/^detection:\/\/navigator\/layer\/(.+)$/);
+    if (navigatorMatch) {
+        const sourceType = decodeURIComponent(navigatorMatch[1]);
+        content = generateNavigatorLayer({ name: `${sourceType} Detection Coverage`, source_type: sourceType });
+        return formatResourceResponse(uri, mimeType, content);
+    }
     // Knowledge entity template: knowledge://entity/{entityName}
     const entityMatch = uri.match(/^knowledge:\/\/entity\/(.+)$/);
     if (entityMatch) {

package/dist/tools/detections/actor-analysis.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Threat Actor Coverage Analysis Tools
+ *
+ * MCP tools for analyzing detection coverage against specific
+ * MITRE ATT&CK threat actors using STIX-sourced data.
+ */
+export declare const actorAnalysisTools: import("../registry.js").ToolDefinition[];