Hi Vaman, Do you have any additional information you can share on these features you would like added? Bret On Jan 14, 2022, at 2:20 PM, Bret Jordan <
bj@ctin.us > wrote: Vaman, We are trying to understand how to add these features to CACAO. I know we have talked a bit about this, before the holidays. But that was some time ago. Can you help us better understand through some examples and maybe some proposed descriptions? We have talked about these a few times as a TC, and I think we generally understand what you are looking for. But we want to make sure. Thanks Bret On Nov 4, 2021, at 11:43 AM, Vaman Amarjeet Gokuldas Kini <
vkini@worldbankgroup.org > wrote: Dear All, I am sorry for delayed feedback. Sharing my thoughts on the content. While some of the facts might be covered by 2.1.3 Investigation playbook , I think most orgs would start their journey with enriching events . My suggestion would be to have a dedicated enrichment playbook which enriches the event. Another type of Playbook that I would suggest is Guardrail/Safety These need to be the ones that are hooked into the remediation playbook is invoked and will have components of actions that never should be taken. ( Shut down a core system , Kill a core process on the host etc) and should generate a feedback to the decision point in the OO D A loop. In the Portions where User /identity is defined (mainly in sec 6) it might be beneficial to also include the role of that identity . Often, we might want to only use a read only role to pull data but a more powerful role ( where the credential is taken from a vault ) for a remediation action Please let me know, if this is helpful and I will find more time to contribute. I am in the process of setting up an internal process of SOAR use case management and find this document to be very helpful. Vaman Kini Senior Information Security Officer Office of Information Security Information and Technology Solutions E
vkini@worldbankgroup.org <image001.png>