feat(ttp): E.3.8 R0054-R0058 intel cohort + mark step done
5 YAMLs for the intel-verdict cohort per Appendix B / A.10: AbuseIPDB category mapping, GreyNoise classification, Feodo Tracker hit, ThreatFox IOC type, aggregate-malicious bump-only. IntelLifter (E.3.10) consumes by rule_id and tolerates absence silently (null provider column → no tag). R0058 is the meta bump-only rule — emits a single confidence=0.0 sentinel so it validates and surfaces in the catalogue, but the repository's sub-0.3 drop ensures no fresh tag persists if the fanout fires accidentally. test_intel_rules.py pins that zero-confidence invariant. Marks E.3.8 done in development/TTP_TAGGING.md with the cohort- split summary.
This commit is contained in:
25
rules/ttp/R0054.yaml
Normal file
25
rules/ttp/R0054.yaml
Normal file
@@ -0,0 +1,25 @@
|
||||
rule_id: R0054
|
||||
rule_version: 1
|
||||
name: abuseipdb_category
|
||||
description: |
|
||||
AbuseIPDB category → ATT&CK technique mapping per Appendix A.10.
|
||||
IntelLifter reads AttackerIntel.abuseipdb_categories and emits
|
||||
one tag per matching category code.
|
||||
applies_to:
|
||||
- intel
|
||||
match:
|
||||
kind: lifter:intel_abuseipdb
|
||||
provider: abuseipdb
|
||||
emits:
|
||||
- tactic: TA0006
|
||||
technique_id: T1110
|
||||
confidence: 0.7
|
||||
- tactic: TA0001
|
||||
technique_id: T1190
|
||||
confidence: 0.7
|
||||
- tactic: TA0001
|
||||
technique_id: T1566
|
||||
confidence: 0.7
|
||||
evidence_fields:
|
||||
- abuseipdb_categories
|
||||
- abuse_confidence_score
|
||||
Reference in New Issue
Block a user