anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
05c0721a51c6d2cf80b9138601785bd2d4ca55d1
DECNET/rules/ttp/R0055.yaml
anti f8dee596e5 fix(ttp): expand R0054/R0055/R0057 emits + LAST_REVIEWED markers 
The IntelLifter's _emit_filtered fans out only the rule.emits entries
whose technique_id appears in the predicate's decision set. v1's emits
lists were narrow supersets of the common case, silently dropping the
rest of the predicate's possible emissions:

  R0054 dropped: T1046 (cat 14), T1078 (cat 20), T1090 (cats 9/13),
                 T1496 (cat 11), T1595 (cats 14/19)
  R0055 dropped: T1090 (tor_exit_node), T1110 (ssh_bruteforcer),
                 T1588 (the second emit of every C2-framework tag)
  R0057 dropped: T1105 (payload_delivery, download_url)

Bump rule_version 1->2 on R0054/R0055/R0057, expand emits to cover
every technique the predicate produces. R0056 (Feodo) and R0058
(aggregate bump) carry no enum and stay at v1.

All five YAMLs gain `last_reviewed: "2026-05-02"` and
`next_review: "2026-08-02"` markers; the rule YAML is now the
canonical record of when the mapping was last reconciled against
upstream, with DEBT.md as the calendar reminder.
2026-05-02 18:09:03 -04:00

44 lines
1.2 KiB
YAML
Raw Blame History

rule_id: R0055
rule_version: 2
last_reviewed: "2026-05-02"
next_review: "2026-08-02"
name: greynoise_classification
description: |
GreyNoise classification + tag → ATT&CK technique per A.10.
IntelLifter reads AttackerIntel.greynoise_classification and
greynoise_tags. Note: the Community endpoint does not return tags;
the tag-driven emits become live only when an operator wires a
non-Community provider plan that does.
v2 (2026-05-02 ship-time audit): expanded ``emits`` to cover
T1090 (tor_exit_node), T1110 (ssh_bruteforcer), T1588 (C2-framework
tags' second emit) — v1 silently dropped all three. Bare
``classification == "malicious"`` now lights T1071 at half
multiplier when no recognised tag fires.
applies_to:
- intel
match:
kind: lifter:intel_greynoise
provider: greynoise
emits:
- tactic: TA0043
technique_id: T1595
sub_technique_id: T1595.002
confidence: 0.7
- tactic: TA0011
technique_id: T1071
confidence: 0.7
- tactic: TA0011
technique_id: T1090
confidence: 0.7
- tactic: TA0006
technique_id: T1110
confidence: 0.7
- tactic: TA0042
technique_id: T1588
confidence: 0.7
evidence_fields:
- greynoise_classification
- greynoise_tags
- greynoise_name
Reference in New Issue View Git Blame Copy Permalink