feat(ttp): E.3.13 IdentityLifter + CredentialLifter (R0001-R0006)

IdentityLifter owns lifter:identity_* — currently R0003 (password spraying). CredentialLifter owns lifter:credential_* — R0001 generic auth brute, R0002 password guessing, R0004 credential reuse, R0005 valid-account use, R0006 default credentials. YAMLs R0001/R0002/R0003/R0005/R0006 had their match.kind normalised to fit the lifter prefix scheme — the design doc's promised "YAMLs normalised in a separate refactor commit" lands here. Identity-rollup tags null out attacker_uuid on emit so the worked- example invariant holds (the tag belongs to the Identity, never to one member IP). Tests: test_identity_lifter.py + test_credential_lifter.py cover each predicate's positive/negative path, state modulation (disabled/clipped/expired), source-kind gating, and idempotent replay. test_lifter_absence and test_lifters updated for the new ctor signature.
2026-05-01 20:52:56 -04:00
parent 62ad76615e
commit 322fd44d72
13 changed files with 638 additions and 44 deletions
--- a/rules/ttp/R0001.yaml
+++ b/rules/ttp/R0001.yaml
@@ -3,12 +3,12 @@ rule_version: 1
 name: generic_auth_brute
 description: |
  Repeated failed auth across services/accounts. Cross-event;
-  emitted by the BehavioralLifter (E.3.9) — v0 RuleEngine cannot
+  emitted by the CredentialLifter (E.3.13) — v0 RuleEngine cannot
  count.
 applies_to:
  - auth_attempt
 match:
-  kind: lifter:auth_brute_generic
+  kind: lifter:credential_auth_brute_generic
  fail_threshold: 5
  window_minutes: 5
 emits:
--- a/rules/ttp/R0002.yaml
+++ b/rules/ttp/R0002.yaml
@@ -3,11 +3,11 @@ rule_version: 1
 name: password_guessing
 description: |
  Multiple passwords tried against a single account in a window.
-  Cross-event; BehavioralLifter (E.3.9).
+  Cross-event; CredentialLifter (E.3.13).
 applies_to:
  - auth_attempt
 match:
-  kind: lifter:password_guessing
+  kind: lifter:credential_password_guessing
  pw_threshold: 5
  window_minutes: 5
 emits:
--- a/rules/ttp/R0003.yaml
+++ b/rules/ttp/R0003.yaml
@@ -7,7 +7,7 @@ description: |
 applies_to:
  - identity
 match:
-  kind: lifter:password_spraying
+  kind: lifter:identity_password_spraying
  account_threshold: 3
 emits:
  - tactic: TA0006
--- a/rules/ttp/R0005.yaml
+++ b/rules/ttp/R0005.yaml
@@ -3,11 +3,11 @@ rule_version: 1
 name: valid_account_use
 description: |
  Successful authentication on a previously-brute-forced account.
-  BehavioralLifter (E.3.9).
+  CredentialLifter (E.3.13).
 applies_to:
  - auth_attempt
 match:
-  kind: lifter:valid_account_use
+  kind: lifter:credential_valid_account_use
  require_prior_brute: true
 emits:
  - tactic: TA0001
--- a/rules/ttp/R0006.yaml
+++ b/rules/ttp/R0006.yaml
@@ -3,12 +3,12 @@ rule_version: 1
 name: default_credentials
 description: |
  Login attempt with a known default credential pair (root/root,
-  admin/admin, etc.). BehavioralLifter (E.3.9) reads credentials
+  admin/admin, etc.). CredentialLifter (E.3.13) reads credentials
  table.
 applies_to:
  - auth_attempt
 match:
-  kind: lifter:default_credentials
+  kind: lifter:credential_default_credentials
  pairs:
    - [root, root]
    - [admin, admin]