Skip to content

feat(skillogy): import MITRE threat actors#766

Open
NetVar1337 wants to merge 4 commits into
agent/attck-group-registry-plan-20260710from
agent/attck-group-registry-c1
Open

feat(skillogy): import MITRE threat actors#766
NetVar1337 wants to merge 4 commits into
agent/attck-group-registry-plan-20260710from
agent/attck-group-registry-c1

Conversation

@NetVar1337

@NetVar1337 NetVar1337 commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

What changed

  • Import live MITRE ATT&CK Enterprise intrusion-set objects as deterministic ThreatActor nodes.
  • Preserve group IDs, STIX IDs, names, descriptions, aliases, lifecycle status, timestamps, matrix/framework metadata, and ATT&CK version.
  • Import live uses relationships as ThreatActor -[:USES_TECHNIQUE]-> Technique edges.
  • Reject malformed or unresolved relationship endpoints, including missing/non-string references.
  • Add deterministic unit coverage for actor records, actor-technique edges, lifecycle filtering, endpoint validation, and reversed STIX object order.
  • Regenerate the checked-in skills.cypher artifact required by the existing Skillogy build gate.

Why

This is C1 of the approved two-tier APT coverage foundation. It establishes the canonical MITRE ATT&CK group registry and actor-to-technique graph needed before curated overlays, coverage scoring, playbooks, and documentation can be layered on top.

Impact

  • Existing emit_mitre_records(Path) API remains unchanged.
  • Existing tactic, technique, sub-technique, and MatrixVersion behavior is preserved.
  • No new runtime dependency, configuration, CLI surface, overlay format, or migration is introduced.
  • Scope: 3 files; runtime diff is 70 additions / 2 deletions. The larger generated diff is the deterministic checked-in graph consumed by the existing CI gate.

Verification

  • make ci-lint: passed
    • Ruff check passed
    • Ruff format check passed (679 files)
    • basedpyright: 0 errors
  • Fast test lane: 4,972 passed, 45 skipped
  • Focused MITRE importer tests: 4 passed
  • Frozen Skillogy graph check: passed
    • 2,321 nodes / 10,282 input edges
    • generated deduplicated header: 2,321 nodes / 10,279 edges
    • 189 ThreatActor node merges
    • 4,546 USES_TECHNIQUE edge merges
  • git diff --check: passed
  • GitHub implementation/test files were verified byte-for-byte against the reviewed local tree.
  • The generated GitHub blob SHA is d744a34b07f2a511286e5444489976974b8af6df, exactly matching the local Git blob SHA.

One pre-existing Unix-domain-socket test was deselected because this execution sandbox blocks AF_UNIX; the user explicitly approved this environment-only exception.

Real MITRE bundle check

Validated against official Enterprise ATT&CK tag v19.1:

  • Tag object: a857062c124d963df0a3a18d6384d7586baa8a49
  • Peeled commit: 6c3719993d0401de199203ecc3f369544d9e091c
  • Bundle SHA-256: bdf1ce86a4e604214c5076d37ae4dcb322678afc528df8492e6fdc1b554f5da3
  • G0016 and its direct technique edges verified

Ponytail Full review

Applied the official Ponytail Full workflow to the implementation, tests, and branch diff.

  • Implementation review: no Critical, Important, or Minor findings
  • Verdict: Ready to merge: Yes
  • Lean check: Lean already. Ship.
  • Generated-artifact follow-up review: no Critical, Important, or Minor findings; exact regeneration SHA-256 f3446e209a0304e5243d419bfd48566b8a53ae6e95a093572cb08d727f34c427; Ready to merge: Yes.

Stack

Anti-goal

This PR does not claim complete two-tier APT coverage by itself. Curated overlays, coverage reporting, operator playbooks, skill expansion, docs integration, SaaS surfaces, and landing-page work follow in separate reviewable PRs.

@NetVar1337 NetVar1337 force-pushed the agent/attck-group-registry-plan-20260710 branch from 0cc3e1b to c92b5b2 Compare July 13, 2026 23:10
@NetVar1337 NetVar1337 force-pushed the agent/attck-group-registry-c1 branch from d005350 to bdcc05d Compare July 13, 2026 23:43
@NetVar1337 NetVar1337 marked this pull request as ready for review July 13, 2026 23:43
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@NetVar1337 NetVar1337 requested a review from PurpleCHOIms July 13, 2026 23:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant