add FalconFriday repo, category filter chips, 12h cache

Author: LasCC

README.md

@@ -13,7 +13,8 @@ Browse, search, pin, and inject KQL queries directly into the Monaco editor.
 ## Features
 
 - Inline "Threat Hunting Queries" button in the command bar
-- Tabs: **User Rules** (bundled), **Reprise99**, **Bert-JanP** (fetched from GitHub)
+- Tabs: **User Rules** (bundled), **Reprise99**, **Bert-JanP**, **FalconFriday** (fetched from GitHub)
+- Category filter chips for quick sub-filtering within each repo tab
 - Search across query name, description, category, and KQL content
 - Pin queries for quick access (horizontal pill bar above results)
 - Click any query row to inject it into the editor
@@ -32,8 +33,9 @@ Browse, search, pin, and inject KQL queries directly into the Monaco editor.
 |------|---------|--------|
 | [reprise99/Sentinel-Queries](https://github.com/reprise99/Sentinel-Queries) | ~460 | `.kql` files |
 | [Bert-JanP/Hunting-Queries-Detection-Rules](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules) | ~445 | `.md` with fenced KQL |
+| [FalconForceTeam/FalconFriday](https://github.com/FalconForceTeam/FalconFriday) | ~40 | `.md` with fenced KQL |
 
-Rules are fetched lazily on first tab click, cached locally for 1 hour.
+Rules are fetched lazily on first tab click, cached locally for 12 hours.
 
 ## Build
 

src/config.ts

@@ -11,13 +11,13 @@ export const STORAGE_KEYS = {
   USER_RULES: 'shq_user_rules',
 } as const;
 
-// ── Cache TTL (1 hour in ms) ──
-export const CACHE_TTL_MS = 60 * 60 * 1000;
+// ── Cache TTL (12 hours in ms) ──
+export const CACHE_TTL_MS = 12 * 60 * 60 * 1000;
 
 // ── GitHub Repo Configs ──
 
 export interface RepoConfig {
-  readonly id: 'reprise99' | 'bertjanp';
+  readonly id: 'reprise99' | 'bertjanp' | 'falconfriday';
   readonly owner: string;
   readonly repo: string;
   readonly branch: string;
@@ -26,7 +26,7 @@ export interface RepoConfig {
   /** File extension to match */
   readonly extension: '.kql' | '.md';
   /** Parser identifier */
-  readonly parser: 'kql-file' | 'markdown-sentinel';
+  readonly parser: 'kql-file' | 'markdown-sentinel' | 'markdown-falconfriday';
   /** Human-readable label shown in the tab */
   readonly label: string;
 }
@@ -52,6 +52,16 @@ export const REPOS: readonly RepoConfig[] = [
     parser: 'markdown-sentinel',
     label: 'Bert-JanP',
   },
+  {
+    id: 'falconfriday',
+    owner: 'FalconForceTeam',
+    repo: 'FalconFriday',
+    branch: 'main',
+    basePath: '',
+    extension: '.md',
+    parser: 'markdown-falconfriday',
+    label: 'FalconFriday',
+  },
 ] as const;
 
 /** Max concurrent file fetches to avoid flooding */
@@ -65,6 +75,7 @@ export const TABS: readonly TabDefinition[] = [
   { id: 'user', label: 'User Rules', sourceId: 'user' },
   { id: 'reprise99', label: 'Reprise99', sourceId: 'reprise99' },
   { id: 'bertjanp', label: 'Bert-JanP', sourceId: 'bertjanp' },
+  { id: 'falconfriday', label: 'FalconFriday', sourceId: 'falconfriday' },
   { id: 'pinned', label: 'Pinned' },
 ] as const;
 

src/core/public-repos.ts

@@ -161,6 +161,8 @@ async function fetchAndParseFile(
       return parseKqlFile(content, entry.path);
     case 'markdown-sentinel':
       return parseMarkdownSentinel(content, entry.path);
+    case 'markdown-falconfriday':
+      return parseMarkdownFalconFriday(content, entry.path);
     default:
       return null;
   }
@@ -249,6 +251,56 @@ function parseMarkdownSentinel(content: string, filePath: string): HuntingRule[]
   return rules.length > 0 ? rules : null;
 }
 
+/**
+ * Parse a .md file from FalconForceTeam/FalconFriday.
+ * Structure: # Title, ## Detection description, ## Detection section with
+ * fenced code blocks using ```C# language tag containing KQL queries.
+ * Category is extracted from the filename suffix (e.g. -Win, -Azure, -AWS).
+ */
+function parseMarkdownFalconFriday(content: string, filePath: string): HuntingRule | null {
+  const titleMatch = content.match(/^#\s+(.+)$/m);
+  const title = titleMatch?.[1]?.trim() ?? '';
+  if (!title) return null;
+
+  const descMatch = content.match(/##\s+Detection\s+description\s*\n([\s\S]*?)(?=\n##\s)/i);
+  const description = descMatch?.[1]?.trim() ?? '';
+
+  // Extract category from filename suffix pattern like -Win, -Azure, -AWS
+  const fileName = filePath.split('/').pop() ?? '';
+  const categoryMatch = fileName.match(/-([A-Za-z]+)\.md$/);
+  const category = categoryMatch?.[1]
+    ? humanizeName(categoryMatch[1])
+    : 'General';
+
+  // FalconFriday uses ```C# for KQL blocks
+  const codeBlocks = extractAllFencedCodeBlocks(content);
+  if (codeBlocks.length === 0) return null;
+
+  const query = codeBlocks[0].trim();
+  if (!query) return null;
+
+  return {
+    name: title,
+    query,
+    description: description || `FalconFriday detection rule`,
+    category,
+  };
+}
+
+/**
+ * Extract all fenced code blocks regardless of language tag.
+ * Used by the FalconFriday parser since it uses ```C# for KQL.
+ */
+function extractAllFencedCodeBlocks(text: string): string[] {
+  const blocks: string[] = [];
+  const regex = /```[^\n]*\n([\s\S]*?)```/g;
+  let match: RegExpExecArray | null;
+  while ((match = regex.exec(text)) !== null) {
+    if (match[1]) blocks.push(match[1]);
+  }
+  return blocks;
+}
+
 function extractFencedCodeBlocks(text: string): string[] {
   const blocks: string[] = [];
   const regex = /```(?:kql|kusto|KQL|Kusto)?\s*\n([\s\S]*?)```/g;

src/core/query-manager.ts

@@ -105,6 +105,22 @@ export function getPinnedRules(): readonly (HuntingRule & { sourceId: RuleSource
   return result;
 }
 
+export function getCategoriesForSource(id: RuleSourceId): readonly string[] {
+  const rules = sources.get(id)?.rules ?? [];
+  const unique = new Set<string>();
+  for (const rule of rules) {
+    if (rule.category) unique.add(rule.category);
+  }
+  return [...unique].sort((a, b) => a.localeCompare(b));
+}
+
+export function filterByCategory(
+  rules: readonly HuntingRule[],
+  category: string,
+): readonly HuntingRule[] {
+  return rules.filter((r) => r.category === category);
+}
+
 export function searchRules(
   rules: readonly HuntingRule[],
   query: string,

src/styles/popup.css.ts

@@ -152,6 +152,56 @@ export const popupStyles = `
     border-bottom-color: var(--colorTextBrand, #0078d4);
   }
 
+  /* ── Category Filter ── */
+
+  .${CSS_PREFIX}-category-filter {
+    display: flex;
+    gap: 4px;
+    padding: 6px 14px;
+    border-bottom: 1px solid var(--colorDividerPrimary, #f3f2f1);
+    flex-shrink: 0;
+    overflow-x: auto;
+    overflow-y: hidden;
+    scrollbar-width: none;
+  }
+
+  .${CSS_PREFIX}-category-filter::-webkit-scrollbar {
+    display: none;
+  }
+
+  .${CSS_PREFIX}-category-chip {
+    padding: 2px 8px;
+    font-size: 11px;
+    font-weight: 500;
+    color: var(--colorTextSecondary, #646464);
+    background: var(--colorContainerBackgroundSecondary, #f3f2f1);
+    border: 1px solid var(--colorContainerBorderPrimary, #e1dfdd);
+    border-radius: 10px;
+    cursor: pointer;
+    transition: color 0.12s, background 0.12s, border-color 0.12s;
+    font-family: inherit;
+    white-space: nowrap;
+    flex-shrink: 0;
+  }
+
+  .${CSS_PREFIX}-category-chip:hover {
+    color: var(--colorTextPrimary, #292827);
+    background: var(--colorControlBackgroundHover, #e8e8e8);
+    border-color: var(--colorControlBorderSecondary, #d6d6d6);
+  }
+
+  .${CSS_PREFIX}-category-chip--active {
+    color: var(--colorButtonForegroundPrimary, #fff);
+    background: var(--colorButtonBackgroundPrimary, #0078d4);
+    border-color: var(--colorButtonBackgroundPrimary, #0078d4);
+  }
+
+  .${CSS_PREFIX}-category-chip--active:hover {
+    color: var(--colorButtonForegroundPrimary, #fff);
+    background: var(--colorButtonBackgroundHover, #106ebe);
+    border-color: var(--colorButtonBackgroundHover, #106ebe);
+  }
+
   /* ── Query List ── */
 
   .${CSS_PREFIX}-query-list {

src/types.ts

@@ -9,7 +9,7 @@ export interface HuntingRule {
 
 // ── Rule Sources ──
 
-export type RuleSourceId = 'user' | 'reprise99' | 'bertjanp';
+export type RuleSourceId = 'user' | 'reprise99' | 'bertjanp' | 'falconfriday';
 
 export interface RuleSource {
   readonly id: RuleSourceId;
@@ -88,7 +88,7 @@ export interface CachedData<T> {
 
 // ── Tab System ──
 
-export type TabId = 'user' | 'reprise99' | 'bertjanp' | 'pinned';
+export type TabId = 'user' | 'reprise99' | 'bertjanp' | 'falconfriday' | 'pinned';
 
 export interface TabDefinition {
   readonly id: TabId;

src/ui/category-filter.ts

@@ -0,0 +1,109 @@
+import { CSS_PREFIX } from '../config.ts';
+
+export interface CategoryFilterComponent {
+  readonly element: HTMLDivElement;
+  /** Update the list of available categories. Resets selection. */
+  setCategories(categories: readonly string[]): void;
+  /** Get the currently selected category, or null if "All" is selected. */
+  getSelected(): string | null;
+  /** Reset selection to "All" without triggering onChange. */
+  reset(): void;
+}
+
+export function createCategoryFilter(
+  onChange: (category: string | null) => void,
+): CategoryFilterComponent {
+  const wrap = document.createElement('div');
+  wrap.className = `${CSS_PREFIX}-category-filter`;
+
+  let selectedCategory: string | null = null;
+  let currentCategories: readonly string[] = [];
+
+  function setCategories(categories: readonly string[]): void {
+    // Avoid re-rendering if categories haven't changed
+    if (
+      categories.length === currentCategories.length &&
+      categories.every((c, i) => c === currentCategories[i])
+    ) {
+      return;
+    }
+    currentCategories = categories;
+    // Preserve selection if the selected category still exists in the new list
+    if (selectedCategory && !categories.includes(selectedCategory)) {
+      selectedCategory = null;
+    }
+    renderChips();
+  }
+
+  function renderChips(): void {
+    wrap.innerHTML = '';
+
+    // Hide entirely when there are 0 or 1 categories (no filtering useful)
+    if (currentCategories.length <= 1) {
+      wrap.style.display = 'none';
+      return;
+    }
+    wrap.style.display = '';
+
+    // "All" chip
+    const allChip = createChip('All', selectedCategory === null);
+    allChip.addEventListener('click', () => {
+      if (selectedCategory === null) return;
+      selectedCategory = null;
+      updateActiveState();
+      onChange(null);
+    });
+    wrap.appendChild(allChip);
+
+    // Category chips
+    for (const cat of currentCategories) {
+      const chip = createChip(cat, selectedCategory === cat);
+      chip.addEventListener('click', () => {
+        if (selectedCategory === cat) {
+          // Toggle off -> back to "All"
+          selectedCategory = null;
+        } else {
+          selectedCategory = cat;
+        }
+        updateActiveState();
+        onChange(selectedCategory);
+      });
+      wrap.appendChild(chip);
+    }
+  }
+
+  function createChip(label: string, active: boolean): HTMLButtonElement {
+    const btn = document.createElement('button');
+    btn.type = 'button';
+    btn.className = `${CSS_PREFIX}-category-chip`;
+    if (active) btn.classList.add(`${CSS_PREFIX}-category-chip--active`);
+    btn.textContent = label;
+    return btn;
+  }
+
+  function updateActiveState(): void {
+    const chips = wrap.querySelectorAll<HTMLButtonElement>(`.${CSS_PREFIX}-category-chip`);
+    let idx = 0;
+    for (const chip of chips) {
+      if (idx === 0) {
+        // "All" chip
+        chip.classList.toggle(`${CSS_PREFIX}-category-chip--active`, selectedCategory === null);
+      } else {
+        const cat = currentCategories[idx - 1];
+        chip.classList.toggle(`${CSS_PREFIX}-category-chip--active`, selectedCategory === cat);
+      }
+      idx++;
+    }
+  }
+
+  function reset(): void {
+    selectedCategory = null;
+    updateActiveState();
+  }
+
+  function getSelected(): string | null {
+    return selectedCategory;
+  }
+
+  return { element: wrap, setCategories, getSelected, reset };
+}