anti
322fd44d72
IdentityLifter owns lifter:identity_* — currently R0003 (password spraying). CredentialLifter owns lifter:credential_* — R0001 generic auth brute, R0002 password guessing, R0004 credential reuse, R0005 valid-account use, R0006 default credentials. YAMLs R0001/R0002/R0003/R0005/R0006 had their match.kind normalised to fit the lifter prefix scheme — the design doc's promised "YAMLs normalised in a separate refactor commit" lands here. Identity-rollup tags null out attacker_uuid on emit so the worked- example invariant holds (the tag belongs to the Identity, never to one member IP). Tests: test_identity_lifter.py + test_credential_lifter.py cover each predicate's positive/negative path, state modulation (disabled/clipped/expired), source-kind gating, and idempotent replay. test_lifter_absence and test_lifters updated for the new ctor signature.
21 lines
446 B
YAML
21 lines
446 B
YAML
rule_id: R0001
|
|
rule_version: 1
|
|
name: generic_auth_brute
|
|
description: |
|
|
Repeated failed auth across services/accounts. Cross-event;
|
|
emitted by the CredentialLifter (E.3.13) — v0 RuleEngine cannot
|
|
count.
|
|
applies_to:
|
|
- auth_attempt
|
|
match:
|
|
kind: lifter:credential_auth_brute_generic
|
|
fail_threshold: 5
|
|
window_minutes: 5
|
|
emits:
|
|
- tactic: TA0006
|
|
technique_id: T1110
|
|
confidence: 0.85
|
|
evidence_fields:
|
|
- fail_count
|
|
- service
|