feat(intel): persist per-provider taxonomy on AttackerIntel for TTP dispatch

The 2026-05-02 ship-time audit of the R0054-R0058 intel rule pack found that AbuseIPDB / GreyNoise / ThreatFox stored only the aggregate verdict (score / classification / listed-bool) plus the raw response blob. The TTP IntelLifter expects per-provider taxonomy fields (categories, tags, threat_types) that were never populated, so R0054 / R0055 / R0057 emitted zero tags in production despite passing unit tests. Add typed columns: abuseipdb_categories, greynoise_tags, greynoise_name, feodo_malware_family, threatfox_threat_types, threatfox_ioc_types, threatfox_malware_families. Each provider now parses the relevant taxonomy out of the upstream response and writes it through column_updates. JSON-list columns ride as TEXT with default "[]" to keep the SQLite/MySQL backend split honest, deserialised back to native lists by the repo on read.
2026-05-02 18:07:57 -04:00
parent d1c4a48963
commit 999d3494b4
10 changed files with 272 additions and 1 deletions
--- a/tests/intel/test_threatfox.py
+++ b/tests/intel/test_threatfox.py
@@ -100,6 +100,61 @@ async def test_unexpected_status_is_error():
    assert result.column_updates == {}


+@pytest.mark.anyio
+async def test_threat_types_and_ioc_types_flattened(monkeypatch):
+    """Post-2026-05-02 audit: provider must extract the union of
+    ``threat_type`` / ``ioc_type`` / ``malware`` across all matches.
+    The IntelLifter dispatches ATT&CK on threat_type."""
+    monkeypatch.delenv("DECNET_THREATFOX_API_KEY", raising=False)
+
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(
+            200,
+            json={"query_status": "ok", "data": [
+                {
+                    "ioc_type": "ip:port",
+                    "threat_type": "botnet_cc",
+                    "malware": "Sliver",
+                },
+                {
+                    "ioc_type": "url",
+                    "threat_type": "payload_delivery",
+                    "malware_printable": "Emotet",
+                },
+                {
+                    "ioc_type": "ip:port",  # duplicate, dedup'd
+                    "threat_type": "botnet_cc",  # duplicate
+                    "malware": "Sliver",  # duplicate
+                },
+                "not a dict — silently skipped",
+            ]},
+        )
+
+    _install_transport(handler)
+    provider = ThreatFoxProvider()
+    result = await provider.lookup("1.2.3.4")
+    cu = result.column_updates
+    assert json.loads(cu["threatfox_threat_types"]) == [
+        "botnet_cc", "payload_delivery",
+    ]
+    assert json.loads(cu["threatfox_ioc_types"]) == ["ip:port", "url"]
+    assert json.loads(cu["threatfox_malware_families"]) == ["Emotet", "Sliver"]
+
+
+@pytest.mark.anyio
+async def test_no_result_clears_taxonomy_columns():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(200, json={"query_status": "no_result"})
+
+    _install_transport(handler)
+    provider = ThreatFoxProvider()
+    result = await provider.lookup("8.8.8.8")
+    cu = result.column_updates
+    assert cu["threatfox_threat_types"] == "[]"
+    assert cu["threatfox_ioc_types"] == "[]"
+    assert cu["threatfox_malware_families"] == "[]"
+
+
@pytest.mark.anyio
 async def test_http_error_surfaces():
    async def handler(request: httpx.Request) -> httpx.Response: