From 7d1f048764d4af4c5120cba1b204e01088b764d5 Mon Sep 17 00:00:00 2001 From: anti Date: Sat, 2 May 2026 01:35:49 -0400 Subject: [PATCH] =?UTF-8?q?docs(ttp):=20E.4.b/E.4.c=20DEBT=20entries=20?= =?UTF-8?q?=E2=80=94=20provider=20review=20+=20Sigma=20deferral?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Quarterly TTP provider mapping review for AbuseIPDB / GreyNoise / abuse.ch (Feodo Tracker, ThreatFox) catalogue drift against `rules/ttp/R0054..R0058`, and the post-v1 trigger for the Sigma rule adapter. Both items reference TTP_TAGGING.md sections so the rationale stays linked to the design doc. --- DEBT.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 DEBT.md diff --git a/DEBT.md b/DEBT.md new file mode 100644 index 00000000..e037cbf7 --- /dev/null +++ b/DEBT.md @@ -0,0 +1,35 @@ +# Tech debt — recurring + scheduled work + +This file is the canonical home for known tech debt that has a +specific cadence, expiry, or follow-up trigger. New entries land +here as part of the commit that introduces the underlying constraint; +removal is part of the commit that resolves it. + +## Recurring + +### TTP provider mapping review — quarterly + +Re-walk the AbuseIPDB / GreyNoise / abuse.ch ThreatFox / abuse.ch +Feodo Tracker catalogues for new categories or classification changes. +Reconcile against `rules/ttp/R0054..R0058` (the intel-verdict rule +pack) and bump rule versions for any drift. See +`development/TTP_TAGGING.md` §"Hard parts §9 Intel provider drift" for +the operational rationale. + +Owner: TTP rule maintainer (currently ANTI). +Cadence: every quarter, first week of the month. +Trigger: calendar reminder; no automated probe today. + +## One-shot + +### TTP Sigma adapter — post-v1 + +The Sigma rule format adapter is deferred to post-v1 per +`development/TTP_TAGGING.md` §"Tagging engines, layered §5". Lands +once v0 ships and the rule-precision targets stabilize so we have a +calibration reference for translated rules. Until then, +`decnet/ttp/impl/` does not gain a Sigma engine and `rules/ttp/` +stays YAML-only. + +Trigger: v0 precision targets met + at least one downstream user +who needs it.