anti
b819dfefa3
5 YAMLs for the intel-verdict cohort per Appendix B / A.10: AbuseIPDB category mapping, GreyNoise classification, Feodo Tracker hit, ThreatFox IOC type, aggregate-malicious bump-only. IntelLifter (E.3.10) consumes by rule_id and tolerates absence silently (null provider column → no tag). R0058 is the meta bump-only rule — emits a single confidence=0.0 sentinel so it validates and surfaces in the catalogue, but the repository's sub-0.3 drop ensures no fresh tag persists if the fanout fires accidentally. test_intel_rules.py pins that zero-confidence invariant. Marks E.3.8 done in development/TTP_TAGGING.md with the cohort- split summary.
24 lines
687 B
YAML
24 lines
687 B
YAML
rule_id: R0058
|
|
rule_version: 1
|
|
name: aggregate_malicious_verdict_bump
|
|
description: |
|
|
Aggregate intel verdict = "malicious" with no specific provider
|
|
mapping. Per Appendix B: confidence-bump existing tags only,
|
|
never emits a fresh tag. emits is intentionally a single
|
|
zero-confidence sentinel so the rule still validates and the
|
|
catalogue surfaces it; the IntelLifter inspects rule_id and
|
|
bumps existing tags' confidence rather than calling the engine
|
|
fanout.
|
|
applies_to:
|
|
- intel
|
|
match:
|
|
kind: lifter:intel_aggregate_bump
|
|
bump_amount: 0.05
|
|
emits:
|
|
- tactic: TA0042
|
|
technique_id: T1588
|
|
confidence: 0.0
|
|
evidence_fields:
|
|
- aggregate_verdict
|
|
- bumped_rule_ids
|