Add RetailShield capability matrix

[TFT444]

Summary

Closes #73

Adds docs/capability-matrix.md — a single reference document covering every detection rule and response playbook with honest status labels.

What's in the matrix

Retail detection rules (13) — full row for each: rule name, KQL file, MITRE technique, tactic, severity, query frequency, data sources (standard tables + custom tables + watchlists), recommended playbook trigger, and status. All 13 are marked ✅ Complete.

Generic detection rules (6) — MITRE mapping documented with ⬜ Placeholder status for each, since the KQL files contain only comments and no implemented logic yet.

Response playbooks (5) — block-ip, isolate-endpoint, quarantine-email, suspend-terminal, incident-reporting — each with trigger, description, and ✅ Complete status.

Supporting tables:

• MITRE ATT&CK tactic coverage summary (which rules cover each tactic)
• Watchlist dependency table (4 watchlists × rules using them)
• Custom table dependency table (RetailShield_POS_CL, RetailShield_Logs_CL × rules using them)

---

How to test

1. Check rule count:

   # Retail rules in matrix should match files on disk
   grep "^| " docs/capability-matrix.md | grep "\.kql" | grep -v "^| Rule" | wc -l
   # Should be 19 (13 retail + 6 generic)

2. Cross-check against KQL files:

   # Every .kql filename in detection-rules/retail/ should appear in the matrix
   for f in detection-rules/retail/*.kql; do
     name=$(basename "$f")
     grep -q "$name" docs/capability-matrix.md && echo "OK: $name" || echo "MISSING: $name"
   done

3. Read the document and verify:

   • Generic rules are honestly marked ⬜ Placeholder
   • All 5 playbooks appear in the playbooks section
   • MITRE tactic coverage table is consistent with the rules table above it

---

Generated by Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
retail-shield	Ready	Preview, Comment	Jun 6, 2026 10:52am