I support this proposal. To several people’s point on default – I agree with the proposal that ‘is_executable’ default to false. Getting into the subjective ‘which will occur more’ is both futurecasting as well as perspective. I do agree that, for the use cases I foresee, templates are the most likely playbook to be shared across org boundaries and between systems. But I think ‘false’ should be the default even if people think ‘executable’ playbooks are the more common case. -- Duncan Sparrell sFractal Consulting iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at
http://vsre.info / From:
cacao@lists.oasis-open.org <
cacao@lists.oasis-open.org> on behalf of Bret Jordan <
jordan.oasisopen@gmail.com> Date: Wednesday, November 2, 2022 at 4:16 PM To: Mateusz Zych <
mateusdz@ifi.uio.no> Cc:
cacao@lists.oasis-open.org <
cacao@lists.oasis-open.org> Subject: Re: [cacao] Playbook Types I support this proposal too. I think the majority will honestly be templates. So something like is_executable is probably correct and a default of false is probably good. Bret On Wed, Nov 2, 2022 at 2:29 PM Mateusz Zych <
mateusdz@ifi.uio.no > wrote: Hi All, I agree and support this proposal. Best, Mateusz Zych On 2 Nov 2022, at 16:52, aa tt <
atcyber1000@gmail.com > wrote: Rich et al - I’m supportive of this change provided the proposed text to explain the template concept vs executable is updated to describe the use of this new property. I assume this property would be required (?) and therefore we should decide what the default value (false) would indicate. I suggest that the default value should be the likely majority playbook class/category. So if most playbooks will be templates then is_executable would be a good name and default to false. If most playbooks would be executable then is_template might be better to name the property and that way the default value of false would work nicely. Allan On Nov 2, 2022, at 6:47 AM, Rich Piazza <
rpiazza@mitre.org > wrote: Hi All, On the working call yesterday there was a discussion about section 1.3 of the CACAO working document. Some of the important points: The difference between an executable playbook and a playbook template is mostly subjective. There are suggestions to the text to help clarify this. There is no difference between an executable playbook and a playbook template in terms of their properties The term paybook class is confusing, since it is specified using the type property of a playbook. A suggested proposal is to remove the concept of playbook classes, and replace it by a new Boolean property, maybe called “is_executable”, to differentiate between executable playbooks and playbook templates. Rich -- Rich Piazza Lead Cyber Security Engineer The MITRE Corporation 781-271-3760 –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™