Cross-Project Correlation Register
Purpose
Define which project owns each shared concept and how consistency is reviewed.
Last Checked
2026-05-16
Canonical Ownership
| Shared Concept | Canonical Owner | Consuming Projects | Consistency Rule |
|---|---|---|---|
| Evidence labels | Field Manual | Customer-Driven AI CTI, Israel Threat Actors CTI | Use Observed, Reported, Assessed, Inferred, Unknown, Gap. |
| Source reliability | Field Manual | Customer-Driven AI CTI, Israel Threat Actors CTI | Use A-F source reliability and 1-6 information credibility with caveats. |
| Confidence language | Field Manual | Customer-Driven AI CTI, Israel Threat Actors CTI | Confidence reflects evidence quality, access, corroboration, and analytic consistency; it is not probability. |
| ATT&CK mapping rules | Field Manual | Customer-Driven AI CTI, Israel Threat Actors CTI | Map behavior only when evidence supports a technique; otherwise mark Gap / Not mapped. |
| DRL model | Field Manual | Customer-Driven AI CTI, Israel Threat Actors CTI | Only DRL-9 is production coverage. Lower levels are research, hunt, pilot, or validation states. |
| SOC handoff | Field Manual | Customer-Driven AI CTI | Include first checks, required logs, false positives, escalation, response authority, feedback loop. |
| AI-assisted CTI controls | Field Manual | Customer-Driven AI CTI | AI output cannot independently create attribution, confidence, or production-readiness decisions. |
| Customer delivery gates | Customer-Driven AI CTI | Field Manual, Israel Threat Actors CTI | Use gated execution for scoped customer work. |
| Actor/tool/TTP/detection knowledge | Israel Threat Actors CTI | Field Manual, Customer-Driven AI CTI | Actor-specific claims require source, evidence label, freshness date, and caveat. |
| Production-readiness boundary | Field Manual | All | Do not market research or synthetic testing as production SOC coverage. |
Review Workflow
- When a shared concept changes, update the canonical owner first.
- Update consuming projects only after the owner page is stable.
- Add or update crosslinks from consuming pages to the owner page.
- Run local build and internal link validation in each changed repository.
- Record the last checked date in this page and the sister-project correlation page.
- For detection readiness changes, verify the Israel CTI detection dashboard and Customer delivery gates do not overstate maturity.
Machine-Readable Register
The YAML source for this table is stored at:
data/correlation-register.yml