rule_id: R0057
rule_version: 1
name: threatfox_ioc
description: |
  abuse.ch ThreatFox IOC type → ATT&CK technique mapping with
  family attribution.
applies_to:
  - intel
match:
  kind: lifter:intel_threatfox
  provider: threatfox
emits:
  - tactic: TA0011
    technique_id: T1071
    confidence: 0.8
  - tactic: TA0042
    technique_id: T1588
    sub_technique_id: T1588.001
    confidence: 0.8
evidence_fields:
  - ioc_type
  - malware_family
  - threat_type