rule_id: R0054
rule_version: 2
last_reviewed: "2026-05-02"
next_review: "2026-08-02"
name: abuseipdb_category
description: |
  AbuseIPDB category → ATT&CK technique mapping per Appendix A.10.
  IntelLifter reads AttackerIntel.abuseipdb_categories and emits one
  tag per technique the predicate selects from the matched categories.

  v2 (2026-05-02 ship-time audit): expanded ``emits`` to cover every
  technique the predicate can produce — v1 silently dropped T1046
  (cat 14), T1078 (cat 20), T1090 (cats 9/13), T1496 (cat 11),
  T1498 (cat 4 — still unmapped intentionally), T1595 (cats 14/19).
  Also corrects the cat 10/17 → 4/13 wire-vs-design typo and adds
  cat 7 (Phishing) → T1566 and cat 16 (SQL Injection) → T1190.
applies_to:
  - intel
match:
  kind: lifter:intel_abuseipdb
  provider: abuseipdb
emits:
  - tactic: TA0006
    technique_id: T1110
    confidence: 0.7
  - tactic: TA0001
    technique_id: T1190
    confidence: 0.7
  - tactic: TA0001
    technique_id: T1566
    confidence: 0.7
  - tactic: TA0007
    technique_id: T1046
    confidence: 0.7
  - tactic: TA0001
    technique_id: T1078
    confidence: 0.6
  - tactic: TA0011
    technique_id: T1090
    confidence: 0.6
  - tactic: TA0040
    technique_id: T1496
    confidence: 0.6
  - tactic: TA0043
    technique_id: T1595
    confidence: 0.7
evidence_fields:
  - abuseipdb_categories
  - abuseipdb_score