feat(phase-23): add Threat Actor profiles with MITRE CTI import, API, heatmap and gap analysis (T-208 to T-212)

backend/alembic/versions/b010_add_threat_actors_tables.py

@@ -0,0 +1,72 @@
+"""add_threat_actors_tables
+
+Revision ID: b010threatactors
+Revises: b009detectionrules
+Create Date: 2026-02-09 15:00:00.000000
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects.postgresql import UUID, JSONB
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'b010threatactors'
+down_revision: Union[str, Sequence[str], None] = 'b009detectionrules'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Create threat_actors and threat_actor_techniques tables."""
+    # threat_actors
+    op.create_table(
+        'threat_actors',
+        sa.Column('id', UUID(as_uuid=True), primary_key=True),
+        sa.Column('mitre_id', sa.String(), unique=True, nullable=True),
+        sa.Column('name', sa.String(), nullable=False),
+        sa.Column('aliases', JSONB(), nullable=True),
+        sa.Column('description', sa.Text(), nullable=True),
+        sa.Column('country', sa.String(), nullable=True),
+        sa.Column('target_sectors', JSONB(), nullable=True),
+        sa.Column('target_regions', JSONB(), nullable=True),
+        sa.Column('motivation', sa.String(), nullable=True),
+        sa.Column('sophistication', sa.String(), nullable=True),
+        sa.Column('first_seen', sa.String(), nullable=True),
+        sa.Column('last_seen', sa.String(), nullable=True),
+        sa.Column('references', JSONB(), nullable=True),
+        sa.Column('mitre_url', sa.String(), nullable=True),
+        sa.Column('is_active', sa.Boolean(), server_default='true'),
+        sa.Column('created_at', sa.DateTime(), server_default=sa.func.now()),
+    )
+    op.create_index('ix_threat_actors_country', 'threat_actors', ['country'])
+    op.create_index('ix_threat_actors_motivation', 'threat_actors', ['motivation'])
+
+    # threat_actor_techniques (junction table)
+    op.create_table(
+        'threat_actor_techniques',
+        sa.Column('id', UUID(as_uuid=True), primary_key=True),
+        sa.Column('threat_actor_id', UUID(as_uuid=True),
+                  sa.ForeignKey('threat_actors.id', ondelete='CASCADE'), nullable=False),
+        sa.Column('technique_id', UUID(as_uuid=True),
+                  sa.ForeignKey('techniques.id', ondelete='CASCADE'), nullable=False),
+        sa.Column('usage_description', sa.Text(), nullable=True),
+        sa.Column('first_seen_using', sa.String(), nullable=True),
+    )
+    op.create_index('ix_threat_actor_techniques_actor', 'threat_actor_techniques', ['threat_actor_id'])
+    op.create_index('ix_threat_actor_techniques_technique', 'threat_actor_techniques', ['technique_id'])
+    op.create_unique_constraint('uq_actor_technique', 'threat_actor_techniques',
+                                ['threat_actor_id', 'technique_id'])
+
+
+def downgrade() -> None:
+    """Drop threat_actor_techniques and threat_actors tables."""
+    op.drop_constraint('uq_actor_technique', 'threat_actor_techniques', type_='unique')
+    op.drop_index('ix_threat_actor_techniques_technique', table_name='threat_actor_techniques')
+    op.drop_index('ix_threat_actor_techniques_actor', table_name='threat_actor_techniques')
+    op.drop_table('threat_actor_techniques')
+    op.drop_index('ix_threat_actors_motivation', table_name='threat_actors')
+    op.drop_index('ix_threat_actors_country', table_name='threat_actors')
+    op.drop_table('threat_actors')