Tables
10B3 fp queue summary
10B3_fp_queue_summary.csv
| queue |
count |
percent |
| TRACE-dominant |
0 |
0.0 |
| Low-volume |
99 |
100.0 |
| Suspicious-low-volume (SUSPICIOUS >= 3) |
0 |
0.0 |
10B7 taxonomy summary
10B7_taxonomy_summary.csv
| taxonomy |
events_in_behavior_pack |
10B8 confidence summary
10B8_confidence_summary.csv
| hostility_confidence |
events_in_pack |
percent |
10B8 ip conf rollup
10B8_ip_conf_rollup.csv
| ip |
max_conf_rank |
behaviors |
events |
first_seen |
last_seen |
max_confidence |
10B9 high confidence ips
10B9_high_confidence_ips.csv
| ip |
max_rank |
events |
behaviors |
high_events |
medium_events |
low_events |
first_seen |
last_seen |
max_confidence |
TRACE |
SUSPICIOUS |
BENIGN |
trace_ratio |
fp_rationale |
soc_cohort |
10B9 ip rollup
10B9_ip_rollup.csv
| ip |
max_rank |
events |
behaviors |
high_events |
medium_events |
low_events |
first_seen |
last_seen |
max_confidence |
TRACE |
SUSPICIOUS |
BENIGN |
trace_ratio |
fp_rationale |
soc_cohort |
10B10 cohort scope
10B10_cohort_scope.csv
| cohort |
ip_count |
percent_of_fp_review_ips |
evidence_depth |
| FP review cohort (broad queue) — df_fp_review |
99 |
100.0 |
Shallow (queueing) |
| Queue: TRACE-dominant — df_fp_queue_trace |
0 |
0.0 |
Shallow (queueing) |
| Queue: Low-volume — df_fp_queue_low |
99 |
100.0 |
Shallow (queueing) |
| Queue: Suspicious-low-volume — df_fp_queue_susp_low |
0 |
0.0 |
Deep candidate subset |
| Deep evidence cohort (behavior pack) — df_fp_behavior_pack |
0 |
0.0 |
Deep (behavior-backed) |
| High-confidence hostile indicators (within deep) — df_fp_high_indicator_ips |
0 |
0.0 |
Deep (prioritized) |
10B11 artifacts index
10B11_artifacts_index.csv
| artifact |
description |
shape |
| df_events |
Canonical evidence dataframe (windowed, normalized) |
(99, 11) |
| AUDIT_WINDOW |
Canonical time window contract |
|
| df_fp_review |
FP review queue (broad) |
(99, 17) |
| df_fp_stratified |
FP stratification categories (optional) |
(99, 18) |
| df_fp_queue_summary |
FP triage queue summary (optional) |
(3, 3) |
| df_fp_queue_trace |
Queue: TRACE-dominant (optional) |
(0, 18) |
| df_fp_queue_low |
Queue: low-volume (optional) |
(99, 18) |
| df_fp_queue_susp_low |
Queue: suspicious-low-volume (optional) |
(0, 18) |
| df_fp_behavior_pack |
Behavior-compressed deep evidence pack |
(0, 9) |
| df_fp_taxonomy_summary |
Behavior taxonomy summary (counts; optional) |
(0, 2) |
| df_fp_confidence_summary |
Hostility confidence distribution (optional) |
(0, 3) |
| df_fp_high_indicator_ips |
High-confidence IP list (deep cohort) |
(0, 16) |
| df_fp_cohort_scope |
Cohort scope + evidence depth table |
(6, 4) |
| SOC_NARRATIVE_10B7 |
Narrative: behavior taxonomy (10B.7) |
|
| SOC_NARRATIVE_10B8 |
Narrative: hostility confidence triage (10B.8) |
|
| SOC_NARRATIVE_10B9 |
Narrative: review cohorts framing (10B.9) |
|
| SOC_NARRATIVE_10B10 |
Narrative: cohort scope + depth framing (10B.10) |
|
| df_ip_conf |
Per-IP confidence rollup (optional) |
(0, 7) |
| df_fp_cohort_metrics |
Cohort metrics table (optional) |
(0, 3) |
| df_ip_roll |
Per-IP cohort rollup (optional) |
(0, 16) |
| df_top_indicators |
Top indicators table (optional) |
(0, 3) |
| df_fp_taxonomy_ip_counts |
Taxonomy unique-IP counts (optional) |
(0, 2) |
11 8 ip triage roster
11_8_ip_triage_roster.csv
| ip |
max_confidence |
quadrant |
behaviors |
events |
first_seen |
last_seen |
11 9 ip network enrichment
11_9_ip_network_enrichment.csv
| ip |
max_conf_rank |
behaviors |
events |
first_seen |
last_seen |
max_confidence |
in_high_conf_subset |
rdns |
asn |
asn_description |
asn_country_code |
network_name |
whois_source |
enrichment_status |
11 10 asn counts all
11_10_asn_counts_all.csv
| asn |
network_name |
ip_count |
asn_label |
11 10 asn counts high
11_10_asn_counts_high.csv
| asn |
network_name |
ip_count |
asn_label |
11 10 country counts all
11_10_country_counts_all.csv
| asn_country_code |
ip_count |
11 10 country counts high
11_10_country_counts_high.csv
| asn_country_code |
ip_count |
11 11 hosting classification full
11_11_hosting_classification_full.csv
| ip |
max_conf_rank |
behaviors |
events |
first_seen |
last_seen |
max_confidence |
in_high_conf_subset |
rdns |
asn |
asn_description |
asn_country_code |
network_name |
whois_source |
enrichment_status |
conf_rank |
hosting_type |
11 11 hosting classification summary
11_11_hosting_classification_summary.csv
| hosting_type |
ip_count |
high_conf_ips |
11 12 reverse context full
11_12_reverse_context_full.csv
| ip |
max_conf_rank |
behaviors |
events |
first_seen |
last_seen |
max_confidence |
in_high_conf_subset |
rdns |
asn |
asn_description |
asn_country_code |
network_name |
whois_source |
enrichment_status |
conf_rank |
reverse_domains_count |
reverse_domains_sample |
reverse_lookup_status |
reverse_lookup_note |
ptr_fresh |
cohosting_signal |
cohosting_basis |
11 12 reverse summary deep
11_12_reverse_summary_deep.csv
| cohosting_signal |
ip_count |
high_conf_ips |
reverseip_ok |
percent_of_deep_cohort |
11 12 reverse summary high
11_12_reverse_summary_high.csv
| cohosting_signal |
ip_count |
percent_of_high_conf_subset |
11 13 asn counts deep
11_13_asn_counts_deep.csv
| asn_label |
ip_count |
percent |
subset |
| AS13335 — CLOUDFLARENET - Cloudflare, Inc., US |
3 |
27.27 |
deep_cohort |
| AS14061 — DIGITALOCEAN-ASN - DigitalOcean, LLC, US |
2 |
18.18 |
deep_cohort |
| AS23470 — RELIABLESITE - ReliableSite.Net LLC, US |
2 |
18.18 |
deep_cohort |
| AS8075 — MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US |
2 |
18.18 |
deep_cohort |
| AS211590 — BUCKLOG, FR |
1 |
9.09 |
deep_cohort |
| AS44050 — PIN-AS, RU |
1 |
9.09 |
deep_cohort |
11 13 asn counts high
11_13_asn_counts_high.csv
| asn_label |
ip_count |
percent |
subset |
| AS13335 — CLOUDFLARENET - Cloudflare, Inc., US |
3 |
75.0 |
high_conf_subset |
| AS211590 — BUCKLOG, FR |
1 |
25.0 |
high_conf_subset |
11 13 country counts deep
11_13_country_counts_deep.csv
| asn_country_code |
ip_count |
percent |
subset |
| US |
9 |
81.82 |
deep_cohort |
| FR |
1 |
9.09 |
deep_cohort |
| RU |
1 |
9.09 |
deep_cohort |
11 13 country counts high
11_13_country_counts_high.csv
| asn_country_code |
ip_count |
percent |
subset |
| US |
3 |
75.0 |
high_conf_subset |
| FR |
1 |
25.0 |
high_conf_subset |
11 13 network counts deep
11_13_network_counts_deep.csv
| network_name |
ip_count |
percent |
subset |
| CLOUDFLARENET |
3 |
27.27 |
deep_cohort |
| MSFT |
2 |
18.18 |
deep_cohort |
| DIGITALOCEAN-134-209-0-0 |
1 |
9.09 |
deep_cohort |
| DIGITALOCEAN-161-35-0-0 |
1 |
9.09 |
deep_cohort |
| FR-FBW-NETWORKS-20161110 |
1 |
9.09 |
deep_cohort |
| NET-104-243-35-80-28 |
1 |
9.09 |
deep_cohort |
| PIN-DATACENTER-NET |
1 |
9.09 |
deep_cohort |
| RELIABLESITE-NETBLOCK |
1 |
9.09 |
deep_cohort |
11 13 network counts high
11_13_network_counts_high.csv
| network_name |
ip_count |
percent |
subset |
| CLOUDFLARENET |
3 |
75.0 |
high_conf_subset |
| FR-FBW-NETWORKS-20161110 |
1 |
25.0 |
high_conf_subset |
11 14 cross signal intersection full
11_14_cross_signal_intersection_full.csv
| ip |
max_conf_rank |
high_events |
total_events |
max_confidence |
distinct_behaviors |
behavior_events |
asn_country_code |
asn |
network_name |
asn_description |
rdns |
in_high_conf_subset |
cohosting_signal |
cohosting_basis |
reverse_lookup_status |
reverse_domains_count |
score |
priority_tier |
11 14 cross signal intersection summary
11_14_cross_signal_intersection_summary.csv
| priority_tier |
ip_count |
high_conf_ips |
11 14 cross signal intersection top
11_14_cross_signal_intersection_top.csv
| ip |
max_conf_rank |
high_events |
total_events |
max_confidence |
distinct_behaviors |
behavior_events |
asn_country_code |
asn |
network_name |
asn_description |
rdns |
in_high_conf_subset |
cohosting_signal |
cohosting_basis |
reverse_lookup_status |
reverse_domains_count |
score |
priority_tier |
Audit posture: descriptive export only. No enforcement, allowlisting, suppression, or config changes.
