anti
f8dee596e5
The IntelLifter's _emit_filtered fans out only the rule.emits entries
whose technique_id appears in the predicate's decision set. v1's emits
lists were narrow supersets of the common case, silently dropping the
rest of the predicate's possible emissions:
R0054 dropped: T1046 (cat 14), T1078 (cat 20), T1090 (cats 9/13),
T1496 (cat 11), T1595 (cats 14/19)
R0055 dropped: T1090 (tor_exit_node), T1110 (ssh_bruteforcer),
T1588 (the second emit of every C2-framework tag)
R0057 dropped: T1105 (payload_delivery, download_url)
Bump rule_version 1->2 on R0054/R0055/R0057, expand emits to cover
every technique the predicate produces. R0056 (Feodo) and R0058
(aggregate bump) carry no enum and stay at v1.
All five YAMLs gain `last_reviewed: "2026-05-02"` and
`next_review: "2026-08-02"` markers; the rule YAML is now the
canonical record of when the mapping was last reconciled against
upstream, with DEBT.md as the calendar reminder.
26 lines
741 B
YAML
26 lines
741 B
YAML
rule_id: R0058
|
|
rule_version: 1
|
|
last_reviewed: "2026-05-02"
|
|
next_review: "2026-08-02"
|
|
name: aggregate_malicious_verdict_bump
|
|
description: |
|
|
Aggregate intel verdict = "malicious" with no specific provider
|
|
mapping. Per Appendix B: confidence-bump existing tags only,
|
|
never emits a fresh tag. emits is intentionally a single
|
|
zero-confidence sentinel so the rule still validates and the
|
|
catalogue surfaces it; the IntelLifter inspects rule_id and
|
|
bumps existing tags' confidence rather than calling the engine
|
|
fanout.
|
|
applies_to:
|
|
- intel
|
|
match:
|
|
kind: lifter:intel_aggregate_bump
|
|
bump_amount: 0.05
|
|
emits:
|
|
- tactic: TA0042
|
|
technique_id: T1588
|
|
confidence: 0.0
|
|
evidence_fields:
|
|
- aggregate_verdict
|
|
- bumped_rule_ids
|