From 7754aee855a0d8653305908d59df546393c62c0a Mon Sep 17 00:00:00 2001 From: Tanvir Farhad Date: Sun, 21 Jun 2026 14:41:59 +0000 Subject: [PATCH] feat(data): add LP_INCIDENTS and LP_STORE_RISK demo data Adds 8 realistic LP incidents covering all 4 LP detection rules and their named signals (HighVolumeVoidRefund, HighValueVoidNoOverride, BulkGiftCardActivation, RapidCrossChannelRedemption, RepeatHigh- DiscountRelationship, HighDiscountConcentrationAtTerminal, Ghost- EmployeeAfterHours, ClosedStoreTerminalBurst). Adds LP_STORE_RISK with 10 store risk scores for the store risk scoring component. Also registers 4 LP rules in DETECTION_RULES and updates Impact tactic coverage from 2 to 4 in MITRE_COVERAGE. Closes #126 --- frontend/src/lib/data.js | 260 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 259 insertions(+), 1 deletion(-) diff --git a/frontend/src/lib/data.js b/frontend/src/lib/data.js index 53eeaf5..d0fe6d9 100644 --- a/frontend/src/lib/data.js +++ b/frontend/src/lib/data.js @@ -20,6 +20,10 @@ export const DETECTION_RULES = [ { id: 'DR-017', name: 'Scheduled Task Creation', technique: 'T1053.005', tactic: 'Persistence', severity: 'Medium', status: 'Active', file: 'scheduled_task.kql', lastTriggered: '2 hr ago', triggerCount: 8 }, { id: 'DR-018', name: 'LSASS Memory Access', technique: 'T1003.001', tactic: 'Credential Access', severity: 'Critical', status: 'Active', file: 'lsass_access.kql', lastTriggered: '6 hr ago', triggerCount: 2 }, { id: 'DR-019', name: 'Malicious Macro in Office File', technique: 'T1566.001', tactic: 'Initial Access', severity: 'High', status: 'Disabled', file: 'office_macro.kql', lastTriggered: 'Never', triggerCount: 0 }, + { id: 'LP-001', name: 'POS Void / Refund Abuse', technique: 'T1657', tactic: 'Impact', severity: 'High', status: 'Active', file: 'lp-pos-void-refund-abuse.kql', lastTriggered: '12 min ago', triggerCount: 7 }, + { id: 'LP-002', name: 'Gift Card Rapid Redemption', technique: 'T1657', tactic: 'Impact', severity: 'High', status: 'Active', file: 'lp-gift-card-rapid-redemption.kql', lastTriggered: '6 min ago', triggerCount: 3 }, + { id: 'LP-003', name: 'Sweethearting / Buddy Fraud', technique: 'T1657', tactic: 'Impact', severity: 'High', status: 'Active', file: 'lp-sweethearting.kql', lastTriggered: '2 hr ago', triggerCount: 2 }, + { id: 'LP-004', name: 'After-Hours POS Transaction', technique: 'T1657', tactic: 'Impact', severity: 'High', status: 'Active', file: 'lp-after-hours-pos-transaction.kql', lastTriggered: '3 hr ago', triggerCount: 4 }, ]; export const MITRE_COVERAGE = [ @@ -34,7 +38,7 @@ export const MITRE_COVERAGE = [ { tactic: 'Collection', covered: 1, total: 5 }, { tactic: 'C2', covered: 3, total: 6 }, { tactic: 'Exfiltration', covered: 2, total: 4 }, - { tactic: 'Impact', covered: 2, total: 7 }, + { tactic: 'Impact', covered: 4, total: 7 }, ]; export const BASELINE_INCIDENTS = [ @@ -487,6 +491,260 @@ export const COMPLIANCE_REGULATIONS = [ { id: 'NIS2', name: 'NIS2 Directive (UK equivalent)', deadline: '24 hours', authority: 'NCSC', threshold: 'Incidents affecting network and information systems', status: 'Monitored' }, ]; +export const LP_INCIDENTS = [ + { + id: 'LP-INC-001', + title: 'High-Volume Void Abuse — Store-031 Cashier', + severity: 'High', + tactic: 'Impact', + technique: 'T1657', + status: 'Investigating', + detectedAt: '2026-06-21T11:42:00Z', + mttd: 3, + ruleId: 'LP-001', + detectionSignal: 'HighVolumeVoidRefund', + storeId: 'Store-031', + operatorId: 'EMP-2204', + terminalId: 'POS-031-03', + transactionCount: 14, + totalValueGBP: 847.50, + hasManagerOverride: false, + riskScore: 80, + description: 'Cashier EMP-2204 processed 14 void/refund transactions totalling £847.50 in a 30-minute window at Store-031 — exceeding the threshold of 10 per window with no manager override recorded.', + timeline: [ + { time: '11:09', event: 'First void transaction processed by EMP-2204 at POS-031-03' }, + { time: '11:39', event: '14th void in 30-minute window — HighVolumeVoidRefund threshold crossed' }, + { time: '11:42', event: 'Alert triggered — lp-incident-response playbook invoked' }, + { time: '11:44', event: 'Store manager notified; POS permissions suspended pending review' }, + ], + affectedEntities: ['EMP-2204', 'POS-031-03', 'Store-031 till ledger'], + autoDefence: ['POS operator account suspended', 'Store manager alerted', 'CCTV timestamp flagged for review'], + recommendations: ['Reconcile void transactions against customer receipts', 'Require manager PIN for all voids above £20', 'Begin HR investigation if reconciliation fails'], + estimatedLossGBP: 847.50, + }, + { + id: 'LP-INC-002', + title: 'Critical Value Void — No Override — Store-017', + severity: 'Critical', + tactic: 'Impact', + technique: 'T1657', + status: 'Active', + detectedAt: '2026-06-21T14:08:00Z', + mttd: 1, + ruleId: 'LP-001', + detectionSignal: 'HighValueVoidNoOverride', + storeId: 'Store-017', + operatorId: 'EMP-0891', + terminalId: 'POS-017-01', + transactionCount: 3, + totalValueGBP: 1240.00, + hasManagerOverride: false, + riskScore: 95, + description: 'Three high-value void transactions totalling £1,240 processed at Store-017 POS-017-01 by EMP-0891 with no manager override recorded. Total exceeds the £500 Critical threshold.', + timeline: [ + { time: '14:01', event: 'First high-value void — £420.00 — no override on POS-017-01' }, + { time: '14:05', event: 'Second void — £380.00' }, + { time: '14:07', event: 'Third void — £440.00 — total reaches £1,240' }, + { time: '14:08', event: 'Critical alert fired — HighValueVoidNoOverride, RiskScore 95' }, + ], + affectedEntities: ['EMP-0891', 'POS-017-01', 'Store-017 refund ledger'], + autoDefence: ['Operator account suspended immediately', 'Manager PIN enforcement activated at terminal', 'Incident escalated to Loss Prevention team'], + recommendations: ['Conduct same-day investigation and reconciliation', 'Review 7-day void history for EMP-0891', 'Preserve CCTV footage for the 14:00–14:10 window'], + estimatedLossGBP: 1240.00, + }, + { + id: 'LP-INC-003', + title: 'Bulk Gift Card Activation — 12 Cards in 40 Minutes', + severity: 'High', + tactic: 'Impact', + technique: 'T1657', + status: 'Investigating', + detectedAt: '2026-06-21T10:22:00Z', + mttd: 6, + ruleId: 'LP-002', + detectionSignal: 'BulkGiftCardActivation', + storeId: 'Store-008', + operatorId: 'EMP-1155', + terminalId: 'POS-008-02', + activationCount: 12, + totalValueGBP: 600.00, + riskScore: 80, + description: 'EMP-1155 activated 12 gift cards totalling £600 in a 40-minute window at Store-008 — more than double the BulkActivationThresh of 5. No matching customer loyalty transactions recorded.', + timeline: [ + { time: '09:42', event: 'First gift card activated by EMP-1155 on POS-008-02' }, + { time: '10:01', event: 'Fifth card activated — BulkActivationThresh reached' }, + { time: '10:22', event: 'Twelfth card activated — alert triggered' }, + { time: '10:28', event: 'Gift card activation capability suspended at terminal' }, + ], + affectedEntities: ['EMP-1155', 'POS-008-02', '12 gift card accounts (GC-batch-9821xx)'], + autoDefence: ['Gift card activation suspended at POS-008-02', 'Card batch flagged in gift card system', 'Store manager notified'], + recommendations: ['Freeze the 12 activated cards pending investigation', 'Verify activation purpose with EMP-1155 and store manager', 'Cross-check cards against customer purchase records'], + estimatedLossGBP: 600.00, + }, + { + id: 'LP-INC-004', + title: 'Rapid Cross-Store Gift Card Redemption — Organised Fraud', + severity: 'Critical', + tactic: 'Impact', + technique: 'T1657', + status: 'Active', + detectedAt: '2026-06-20T16:14:00Z', + mttd: 4, + ruleId: 'LP-002', + detectionSignal: 'RapidCrossChannelRedemption', + storeId: 'Store-003', + operatorId: 'EMP-0312', + terminalId: 'POS-003-01', + activationCount: 8, + totalValueGBP: 480.00, + minutesSinceActivation: 18, + riskScore: 90, + description: '8 gift cards activated at Store-003 were redeemed online within 18 minutes of activation — well within the 30-minute cross-channel threshold. Consistent with organised gift card fraud using stolen card numbers.', + timeline: [ + { time: '15:52', event: '8 gift cards activated at Store-003 POS-003-01 by EMP-0312' }, + { time: '16:10', event: 'All 8 cards redeemed via online channel within 18 minutes of activation' }, + { time: '16:14', event: 'RapidCrossChannelRedemption alert fired — Critical, RiskScore 90' }, + { time: '16:15', event: 'Cards suspended; online redemption channel flagged' }, + ], + affectedEntities: ['EMP-0312', 'POS-003-01', '8 gift card accounts', 'Online redemption API'], + autoDefence: ['Affected cards frozen', 'Online channel velocity limit applied', 'Fraud team alerted'], + recommendations: ['Coordinate with online fraud team to trace redemption session', 'Investigate whether EMP-0312 acted alone or with an accomplice', 'Consider law enforcement referral if organised crime suspected'], + estimatedLossGBP: 480.00, + }, + { + id: 'LP-INC-005', + title: 'Sweethearting — Cashier Serving Same Customer 9 Times at 38% Discount', + severity: 'High', + tactic: 'Impact', + technique: 'T1657', + status: 'Investigating', + detectedAt: '2026-06-21T06:00:00Z', + mttd: 22, + ruleId: 'LP-003', + detectionSignal: 'RepeatHighDiscountRelationship', + storeId: 'Store-042', + operatorId: 'EMP-3301', + loyaltyCardId: 'LC-88821934', + transactionCount: 9, + avgDiscountRate: 0.38, + totalDiscountGBP: 314.20, + avgBasketGBP: 36.84, + riskScore: 75, + description: 'Cashier EMP-3301 served loyalty customer LC-88821934 nine times over 7 days with an average discount of 38% — substantially above the 30% threshold. No loyalty programme entitlement found for the customer profile.', + timeline: [ + { time: 'Day 1', event: 'First transaction flagged — 41% discount applied by EMP-3301' }, + { time: 'Days 2–6', event: '8 further transactions — all with discounts between 32% and 44%' }, + { time: 'Day 7 06:00', event: '7-day rolling analysis triggered RepeatHighDiscountRelationship alert' }, + { time: 'Day 7 06:22', event: 'Loss prevention manager notified; HR review scheduled' }, + ], + affectedEntities: ['EMP-3301', 'LC-88821934 (loyalty customer)', 'Store-042 discount ledger'], + autoDefence: ['Discount cap applied to EMP-3301 terminal pending review', 'LP manager alerted', 'Transaction history exported for HR'], + recommendations: ['Conduct full 30-day discount audit for EMP-3301', 'Cross-check LC-88821934 loyalty entitlement', 'Review CCTV to confirm whether all items were scanned'], + estimatedLossGBP: 314.20, + }, + { + id: 'LP-INC-006', + title: 'Discount Concentration — Cashier Responsible for 52% of Terminal Discounts', + severity: 'High', + tactic: 'Impact', + technique: 'T1657', + status: 'Investigating', + detectedAt: '2026-06-20T06:00:00Z', + mttd: 31, + ruleId: 'LP-003', + detectionSignal: 'HighDiscountConcentrationAtTerminal', + storeId: 'Store-019', + operatorId: 'EMP-0774', + terminalId: 'POS-019-04', + discountShare: 0.52, + totalDiscountGBP: 892.60, + riskScore: 70, + description: 'Cashier EMP-0774 was responsible for 52% of all discounts issued at POS-019-04 over the past 7 days — more than double the DiscountShareThresh of 40%. Peer comparison shows the terminal average is 11% per operator.', + timeline: [ + { time: 'Day 1–7', event: 'EMP-0774 discount share accumulates to 52% of POS-019-04 total' }, + { time: 'Day 7 06:00', event: '7-day analysis triggers HighDiscountConcentrationAtTerminal signal' }, + { time: 'Day 7 06:31', event: 'LP manager notified; discount activity review initiated' }, + ], + affectedEntities: ['EMP-0774', 'POS-019-04', 'Store-019 discount ledger'], + autoDefence: ['LP manager alerted', 'Discount log exported for peer comparison', 'Terminal flagged for enhanced monitoring'], + recommendations: ['Compare EMP-0774 basket values against terminal peers', 'Audit discount transactions for items not appearing on receipt', 'Consider covert observation if pattern continues'], + estimatedLossGBP: 892.60, + }, + { + id: 'LP-INC-007', + title: 'Ghost Employee — After-Hours POS Access — Store-007', + severity: 'Critical', + tactic: 'Impact', + technique: 'T1657', + status: 'Active', + detectedAt: '2026-06-21T02:31:00Z', + mttd: 2, + ruleId: 'LP-004', + detectionSignal: 'GhostEmployeeAfterHours', + storeId: 'Store-007', + operatorId: 'EMP-9901', + terminalId: 'POS-007-02', + transactionCount: 4, + totalValueGBP: 612.00, + hourOfDay: 2, + riskScore: 92, + description: 'Operator EMP-9901 processed 4 transactions totalling £612 at Store-007 at 02:31 AM — outside trading hours (06:00–22:00). No daytime shift record exists for EMP-9901 in the past 24 hours, matching the GhostEmployee pattern.', + timeline: [ + { time: '02:27', event: 'EMP-9901 logs into POS-007-02 — no active shift record in system' }, + { time: '02:31', event: '4 transactions processed totalling £612.00' }, + { time: '02:31', event: 'GhostEmployeeAfterHours alert fired — Critical, RiskScore 92' }, + { time: '02:33', event: 'Terminal locked remotely; security team alerted' }, + ], + affectedEntities: ['EMP-9901', 'POS-007-02', 'Store-007 till'], + autoDefence: ['Terminal remotely locked', 'Security team dispatched', 'EMP-9901 credential suspended'], + recommendations: ['Contact on-site security and review CCTV immediately', 'Verify whether EMP-9901 badge access records confirm physical presence', 'Consider law enforcement notification if unauthorised entry is confirmed'], + estimatedLossGBP: 612.00, + }, + { + id: 'LP-INC-008', + title: 'Closed-Store Terminal Burst — 5 Transactions Outside Hours', + severity: 'Critical', + tactic: 'Impact', + technique: 'T1657', + status: 'Investigating', + detectedAt: '2026-06-20T23:58:00Z', + mttd: 4, + ruleId: 'LP-004', + detectionSignal: 'ClosedStoreTerminalBurst', + storeId: 'Store-022', + operatorId: 'EMP-4417', + terminalId: 'POS-022-01', + transactionCount: 5, + totalValueGBP: 388.75, + hourOfDay: 23, + riskScore: 92, + description: '5 POS transactions processed at POS-022-01 in a 30-minute window starting at 23:50 — after the 22:00 store close. The terminal burst of 5 exceeds the ClosedStoreTerminalBurst threshold of 3.', + timeline: [ + { time: '23:50', event: 'First after-hours transaction on POS-022-01' }, + { time: '23:54', event: 'Third transaction — TerminalBurstThresh crossed' }, + { time: '23:58', event: 'ClosedStoreTerminalBurst alert — Critical, RiskScore 92' }, + { time: '00:02', event: 'Store manager contacted; badge access audit initiated' }, + ], + affectedEntities: ['EMP-4417', 'POS-022-01', 'Store-022 after-hours log'], + autoDefence: ['Terminal flagged; manager notified', 'Badge access log pulled for Store-022', 'Activity flagged for LP review'], + recommendations: ['Correlate transactions with badge entry records', 'Review CCTV footage at store entrance from 23:40 onwards', 'Determine if authorised (stock count) or investigate as till manipulation'], + estimatedLossGBP: 388.75, + }, +]; + +export const LP_STORE_RISK = [ + { storeId: 'Store-007', storeName: 'Oxford Street', riskScore: 92, openIncidents: 1, highestSignal: 'GhostEmployeeAfterHours', lastIncident: '2026-06-21T02:31:00Z', trend: 'up' }, + { storeId: 'Store-017', storeName: 'Canary Wharf', riskScore: 88, openIncidents: 1, highestSignal: 'HighValueVoidNoOverride', lastIncident: '2026-06-21T14:08:00Z', trend: 'up' }, + { storeId: 'Store-003', storeName: 'Westfield Strat.', riskScore: 84, openIncidents: 1, highestSignal: 'RapidCrossChannelRedemption', lastIncident: '2026-06-20T16:14:00Z', trend: 'up' }, + { storeId: 'Store-022', storeName: 'Bluewater', riskScore: 80, openIncidents: 1, highestSignal: 'ClosedStoreTerminalBurst', lastIncident: '2026-06-20T23:58:00Z', trend: 'stable'}, + { storeId: 'Store-031', storeName: 'Trafford Centre', riskScore: 74, openIncidents: 1, highestSignal: 'HighVolumeVoidRefund', lastIncident: '2026-06-21T11:42:00Z', trend: 'stable'}, + { storeId: 'Store-042', storeName: 'Meadowhall', riskScore: 68, openIncidents: 1, highestSignal: 'RepeatHighDiscountRelationship', lastIncident: '2026-06-21T06:00:00Z', trend: 'up' }, + { storeId: 'Store-019', storeName: 'Bullring', riskScore: 62, openIncidents: 1, highestSignal: 'HighDiscountConcentrationAtTerminal', lastIncident: '2026-06-20T06:00:00Z', trend: 'stable'}, + { storeId: 'Store-008', storeName: 'Brent Cross', riskScore: 58, openIncidents: 1, highestSignal: 'BulkGiftCardActivation', lastIncident: '2026-06-21T10:22:00Z', trend: 'down' }, + { storeId: 'Store-011', storeName: 'Lakeside', riskScore: 28, openIncidents: 0, highestSignal: null, lastIncident: null, trend: 'stable'}, + { storeId: 'Store-055', storeName: 'Arndale', riskScore: 21, openIncidents: 0, highestSignal: null, lastIncident: null, trend: 'down' }, +]; + export const SUBMISSION_HISTORY = [ { id: 'SUB-001', date: '2026-05-22T10:30:00Z', incident: 'INC-2801', regulation: 'UK GDPR', authority: 'ICO', status: 'Submitted', refNo: 'ICO-2026-051822' }, { id: 'SUB-002', date: '2026-05-22T08:15:00Z', incident: 'INC-2801', regulation: 'CSR Bill', authority: 'NCSC', status: 'Acknowledged', refNo: 'NCSC-IR-2026-4471' },