OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

 View Only
  • 1.  Playbook Functionalities

    Posted 11-19-2022 15:22
    All, Based on the proposal from Marlon, that several people have supported we have the following: playbook_types is optional with a normative SHOULD use playbook_functionalities is optional with a normate SHOULD use & a normative MUST use if playbook_types is used. This gives us potential of having something like: { "type": "playbook", "spec_version": "cacao-1.1", "id": "playbook--91220064-3c6f-4b58-99e9-196e64f9bde7", "name": "Find Malware FuzzyPanda", "description": "This playbook will look for FuzzyPanda on the network and in a SIEM", "playbook_types": ["investigation", "detection"], "playbook_functionalities": ["analyze-collected-data", "identify-indicators", "scan-system"], .... } I am wondering if playbook_types and playbook_functionalties should be combined to something like: { "type": "playbook", "spec_version": "cacao-1.1", "id": "playbook--91220064-3c6f-4b58-99e9-196e64f9bde7", "name": "Find Malware FuzzyPanda", "description": "This playbook will look for FuzzyPanda on the network and in a SIEM", "playbook_types": { "investigation": ["analyze-collected-data", "identify-indicators"], "detection": ["scan-system"] }, .... } I basically changed playbook_types from a list to a dictionary. Would something like this help? And if we do not like the playbook_types name with the combined data it could be changed to something else. Maybe characteristics or something. Dez, Rich, Marlon? Do we want to try and tie the functionalities to the type being used? Bret