feat(techniques): show detection rules on technique detail page

Backend: - technique_query_service.get_technique_detail() now queries DetectionRule by mitre_technique_id == mitre_id (same field the heatmap uses) - Rules sorted: critical → high → medium → low → informational, then alphabetically - Returns: id, title, description, source, source_url, rule_format, severity, platforms, false_positive_rate Frontend: - New DetectionRulesSection component with expandable rows per rule - Color-coded severity dots and badges (red/orange/yellow/blue/gray) - Source badges (sigma=purple, elastic=blue, splunk=orange, custom=cyan) - Shows format, false positive rate, platforms, source link on expand - Empty state when no rules exist Fixes: T1189 showed green in heatmap but no rules on detail page Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-28 16:26:46 +02:00
parent 2371318e9e
commit fa8e7f311b
2 changed files with 187 additions and 1 deletions
--- a/backend/app/services/technique_query_service.py
+++ b/backend/app/services/technique_query_service.py
@@ -5,11 +5,15 @@ from sqlalchemy.orm import Session, joinedload

 from app.domain.errors import EntityNotFoundError
 from app.models.technique import Technique
+from app.models.detection_rule import DetectionRule
 from app.services.d3fend_import_service import get_defenses_for_technique

+# Severity sort order for detection rules (most critical first)
+_SEVERITY_ORDER = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4, None: 5}
+

 def get_technique_detail(db: Session, mitre_id: str) -> dict:
-    """Fetch full technique details including tests and D3FEND defenses."""
+    """Fetch full technique details including tests, detection rules, and D3FEND defenses."""
    technique = (
        db.query(Technique)
        .options(joinedload(Technique.tests))
@@ -18,7 +22,22 @@ def get_technique_detail(db: Session, mitre_id: str) -> dict:
    )
    if technique is None:
        raise EntityNotFoundError("Technique", mitre_id)
+
    defenses = get_defenses_for_technique(db, technique.id)
+
+    detection_rules = (
+        db.query(DetectionRule)
+        .filter(
+            DetectionRule.mitre_technique_id == mitre_id,
+            DetectionRule.is_active == True,  # noqa: E712
+        )
+        .all()
+    )
+    # Sort by severity (critical first), then alphabetically by title
+    detection_rules.sort(
+        key=lambda r: (_SEVERITY_ORDER.get(r.severity, 5), (r.title or "").lower())
+    )
+
    return {
        "id": str(technique.id),
        "mitre_id": technique.mitre_id,
@@ -44,5 +63,20 @@ def get_technique_detail(db: Session, mitre_id: str) -> dict:
            }
            for t in technique.tests
        ],
+        "detection_rules": [
+            {
+                "id": str(r.id),
+                "title": r.title,
+                "description": r.description,
+                "source": r.source,
+                "source_id": r.source_id,
+                "source_url": r.source_url,
+                "rule_format": r.rule_format,
+                "severity": r.severity,
+                "platforms": r.platforms or [],
+                "false_positive_rate": r.false_positive_rate,
+            }
+            for r in detection_rules
+        ],
        "d3fend_defenses": defenses,
    }