anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Service-Bus: ttp.rule.reloaded.{rule_id} + ttp.rule.state.{rule_id} 

Per-rule fan-out topics fired by FilesystemRuleStore (E.3.5);
DatabaseRuleStore (E.3.6) will publish the same topics. Land here in
the same logical change as decnet/bus/topics.py per the project's
wiki-checkout discipline.
anti
2026-05-01 08:31:32 -04:00
parent d111efd23e
commit b75c1028ab
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Service-Bus.md

@@ -177,6 +177,8 @@ Current topic families:
| `ttp.tagged` | _reserved (TTP worker)_ | `{tag_uuids: [...], techniques_added: [...], attacker_uuid?, identity_uuid, session_id?}` — published only when `INSERT OR IGNORE` wrote at least one new row. Idempotent re-evaluations that produce zero new tags publish zero events (loop-prevention invariant — a webhook subscriber re-triggering enrichment on `ttp.tagged` could otherwise loop forever). |
| `ttp.rule.fired.{technique_id}` | _reserved (TTP worker)_ | `{rule_id, technique_id, sub_technique_id?, tag_uuid, confidence}` — per-technique fan-out for SIEM correlation rules that subscribe to one technique. Topic key is the parent technique; `sub_technique_id` lives in the payload. Use `ttp.rule.fired.>` for fleet-wide subscribers. |
| `ttp.rule.suppressed` | _reserved (TTP worker)_ | `{rule_id, technique_id, reason}` where `reason ∈ {"below_floor", "rate_limited", "rule_disabled"}` — observability for tags that *would have* been written but were dropped. Drives the dashboard's per-rule suppression counters. |
| `ttp.rule.reloaded.{rule_id}` | `decnet.ttp.store` (FilesystemRuleStore + DatabaseRuleStore) | `{rule_id, rule_version, deleted?}` — fired by the rule store when a rule's *definition* changes (YAML edit on disk for the FS backend, `ttp_rule` row update on the DB backend). One event per per-rule edit — never batched. A 5-rule deploy fires 5 events; the engine recompiles each rule alone and atomically swaps it into the dispatch index. Built via `topics.ttp_rule_reloaded(rule_id)`; fleet subscribers use `ttp.rule.reloaded.>`. `deleted: true` indicates the rule file was removed. |
| `ttp.rule.state.{rule_id}` | `decnet.ttp.store` (FilesystemRuleStore + DatabaseRuleStore) + `POST /api/v1/ttp/rules/{rule_id}/state` | `{rule_id, state, set_by, auto_revert?}` — fired when a rule's *operational state* changes (operator hits disable/clip via the API, or an `expires_at` TTL fires and auto-reverts the state). `state ∈ {"enabled", "disabled", "clipped"}`. `auto_revert: true` flags TTL-driven reverts so dashboards can distinguish them from operator actions. Built via `topics.ttp_rule_state(rule_id)`; fleet subscribers use `ttp.rule.state.>`. |
| `system.log` | _reserved_ | — |
| `system.bus.health` | Bus worker heartbeat | `{ts, uptime_s}` |