MITRE ATT&CK Telemetry Mapping (Sprint 32)

This mapping ties SpectraStrike telemetry normalization and federation payloads to ATT&CK-aligned attributes used by downstream analytics.

Telemetry Contract Alignment

Event payloads are normalized with deterministic schema fields (telemetry.ml.v1 path).
Federation bridge sets ATT&CK fields from event attributes:
- mitre_techniques (default fallback T1595)
- mitre_tactics (default fallback TA0043)
Federation bridge also injects compliance control tags into outbound payload attributes:
- soc2_controls
- iso27001_annex_a_controls
- nist_800_53_controls
Event/finding payloads preserve tenant and execution fingerprint context for traceable ATT&CK analytics.

References:

Tool/Event Pattern	ATT&CK Technique(s)	ATT&CK Tactic(s)	Mapping Source
`nmap_scan_completed` / network probing	T1595 Active Scanning	TA0043 Reconnaissance	Event defaults and wrapper attributes
`metasploit_exploit_completed`	T1059 Command and Scripting Interpreter (context dependent)	TA0002 Execution	Wrapper event metadata + finding normalization
`sliver_command_completed`	T1105 Ingress Tool Transfer / operator command channel context	TA0011 Command and Control	Sliver wrapper telemetry attributes
`mythic_task_completed`	T1059 Command and Scripting Interpreter (task dependent)	TA0002 Execution	Mythic wrapper task telemetry attributes
Generic `PROCESS_ANOMALY` federation event	technique/tactic passed in attributes or fallback	attribute-driven	`vectorvue/rabbitmq_bridge.py` normalization

Tenant boundary: telemetry/finding payloads remain tenant-scoped.
Execution integrity: execution_fingerprint is carried for deterministic cross-system correlation.
Signed channel requirement: federation payloads are signed and delivered over mTLS.
Replay resistance: nonce and timestamp windows enforced on feedback ingestion path.

ATT&CK mapping is a telemetry enrichment baseline for analytics and compliance evidence.
Operational teams can override with richer per-technique tags in tool-specific output attributes.