anti
d25f69ba1b
The four provider→technique tables (AbuseIPDB cat→techniques,
GreyNoise tag→techniques, ThreatFox threat_type→techniques, plus
the Feodo binary-listed signal) used to live as Final[dict] constants
in intel_lifter.py. Two real problems with that:
1. Drift between rules/ttp/R0054.yaml..R0058.yaml (which declare
the full slate per provider) and the Python dicts (which decide
which slate-member fires per signal). The v2 audit comment in
intel_lifter.py documented that they had silently drifted.
2. No ATT&CK provenance on emissions — the loaded STIX bundle has
rich external_references (canonical attack.mitre.org URLs) that
never surfaced because the lifter had no path back to them.
Mappings now live as YAML at decnet/ttp/data/intel/{provider}.yaml,
validated at load against the loaded ATT&CK bundle, with each entry
enriched by attack_stix._attack_pattern_by_id to attach the canonical
MITRE URL to every emission.
- decnet/ttp/data/intel_loader.py: pydantic-validated schema +
ProviderMapping/Signal/TechniqueEmission frozen dataclasses +
load_provider_mapping(provider) lru-cached.
- Per-technique high_score_threshold inlined into YAML
(collapses the separate _ABUSEIPDB_HIGH_SCORE_GATED dict).
- external_reference field follows the STIX 2.1 external-reference
shape (source_name + url + optional external_id) so the future
STIX/MISP exporter is a direct translation.
- intel_lifter.py: dicts deleted, decision functions read from
ProviderMapping accessors. Decision-flow constants (T1071/T1595
bare-classification fallbacks in _greynoise_decisions) stay in
code — they're not table rows.
- Each emit slot's evidence_extra now carries mitre_url for any
technique resolved in the bundle (every one in practice).
- tests/ttp/test_intel_mappings.py: snapshot equivalence vs the
legacy dicts, high-score gate behavior, every-signal-has-an-
external-reference, every-emission-has-a-mitre-url, negative
paths (unknown technique_id raises AttackBundleError, mismatched
provider field rejected, dir listing matches expected providers).
The YAML schema + mitre_url enrichment lays groundwork for the
future STIX exporter; this commit does NOT build that exporter.
46 lines
1.3 KiB
YAML
46 lines
1.3 KiB
YAML
# ThreatFox threat_type → ATT&CK technique mapping.
|
|
#
|
|
# Mirrors _THREATFOX_THREAT_TYPE_TO_TECHNIQUES from
|
|
# decnet/ttp/impl/intel_lifter.py. ThreatFox's canonical taxonomy is
|
|
# the ``threat_type`` field (NOT ``ioc_type`` — that was the v1
|
|
# ship-time bug). ``ioc_type`` is the indicator format (url, domain,
|
|
# md5_hash, …) and carries no ATT&CK signal.
|
|
provider: threatfox
|
|
mapping_version: "1"
|
|
attack_release: ">=15.1"
|
|
signals:
|
|
- id: botnet_cc
|
|
label: "Botnet C2"
|
|
external_reference:
|
|
source_name: threatfox
|
|
url: "https://threatfox.abuse.ch/faq/"
|
|
external_id: botnet_cc
|
|
techniques:
|
|
- technique_id: T1071
|
|
- technique_id: T1588
|
|
- id: payload_delivery
|
|
label: "Payload delivery"
|
|
external_reference:
|
|
source_name: threatfox
|
|
url: "https://threatfox.abuse.ch/faq/"
|
|
external_id: payload_delivery
|
|
techniques:
|
|
- technique_id: T1105
|
|
- technique_id: T1588
|
|
- id: payload
|
|
label: "Payload"
|
|
external_reference:
|
|
source_name: threatfox
|
|
url: "https://threatfox.abuse.ch/faq/"
|
|
external_id: payload
|
|
techniques:
|
|
- technique_id: T1588
|
|
- id: cc_skimming
|
|
label: "Credit-card skimming"
|
|
external_reference:
|
|
source_name: threatfox
|
|
url: "https://threatfox.abuse.ch/faq/"
|
|
external_id: cc_skimming
|
|
techniques:
|
|
- technique_id: T1056
|