Forwarding to OpenC2 list since not everyone on Jyoti's email.
--
Duncan Sparrell
sFractal Consulting
iPhone, iTypo, iApologize
I welcome VSRE emails. Learn more at http://vsre.info/
From: Jyoti Verma (jyoverma) <jyoverma@cisco.com> Date: Wednesday, September 4, 2024 at 3:03 PM To: David Lemire <david.lemire@hii-tsd.com>, duncan sfractal.com <duncan@sfractal.com>, Michael Rosa <mjrosa@cyber.nsa.gov>, Aleksandra Scalco <aleksandra.scalco.civ@mail.mil>, Alex Everett <alex.everett@unc.edu>, Anthony Librera <al8109@att.com>, Aviv Ron <rona@il.ibm.com>, Bill Trost <wt1354@att.com>, Chet Ensign <chet.ensign@oasis-open.org>, Chris Ricard <cricard@fsisac.us>, Christian Hunt <ch@ctin.us>, Christopher Robinson <cfr@ctin.us>, David Bizeul <david.bizeul@sekoia.com>, David Kemp <d.kemp@cyber.nsa.gov>, Drew Varner <drew.varner@ninefx.com>, Duane Skeen <duane.skeen@ngc.com>, James Crossland <James.Crossland@ngc.com>, Jane Ginn <jg@ctin.us>, Jason Callaway <jasoncallaway@google.com>, Jason Liu <jason.liu@ngc.com>, Lauri Korts-Pärn <lauri@cyberdefense.jp>, Marco Caselli <marco.caselli@siemens.com>, Michael Stair <ms1784@att.com>, Michelle Barry <mb8523@att.com>, Patrick Maroney <Patrick.Maroney@att.com>, Paul Patrick <ppatrick@darklight.ai>, Randall Sharo <randall.sharo@navy.mil>, Russ Warren <russell.warren@us.ibm.com>, Ryan Joyce <rjoyce@darklight.ai>, Stephanie Hazlewood <stephanie@ca.ibm.com>, Stephen Banghart <stephen.banghart@nist.gov>, Takahiro Kakumaru <kakumaru@nec.com>, Toby Considine <toby.considine@unc.edu>, Vasileios Mavroeidis <vasileim@ifi.uio.no>, Zachary Gorak <zgorak@everwatchsolutions.com> Subject: Question regarding construction of an OpenC2 command
Changing the subject of the email to be more relevant.
Thanks,
Jyoti
From: Jyoti Verma (jyoverma) <jyoverma@cisco.com> Date: Wednesday, September 4, 2024 at 12:01 PM To: David Lemire <david.lemire@hii-tsd.com>, Duncan Sparrell <duncan@sfractal.com>, Michael Rosa <mjrosa@cyber.nsa.gov>, Aleksandra Scalco <aleksandra.scalco.civ@mail.mil>, Alex Everett <alex.everett@unc.edu>, Anthony Librera <al8109@att.com>, Aviv Ron <rona@il.ibm.com>, Bill Trost <wt1354@att.com>, Chet Ensign <chet.ensign@oasis-open.org>, Chris Ricard <cricard@fsisac.us>, Christian Hunt <ch@ctin.us>, Christopher Robinson <cfr@ctin.us>, David Bizeul <david.bizeul@sekoia.com>, David Kemp <d.kemp@cyber.nsa.gov>, Drew Varner <drew.varner@ninefx.com>, Duane Skeen <duane.skeen@ngc.com>, James Crossland <James.Crossland@ngc.com>, Jane Ginn <jg@ctin.us>, Jason Callaway <jasoncallaway@google.com>, Jason Liu <jason.liu@ngc.com>, Lauri Korts-Pärn <lauri@cyberdefense.jp>, Marco Caselli <marco.caselli@siemens.com>, Michael Stair <ms1784@att.com>, Michelle Barry <mb8523@att.com>, Patrick Maroney <Patrick.Maroney@att.com>, Paul Patrick <ppatrick@darklight.ai>, Randall Sharo <randall.sharo@navy.mil>, Russ Warren <russell.warren@us.ibm.com>, Ryan Joyce <rjoyce@darklight.ai>, Stephanie Hazlewood <stephanie@ca.ibm.com>, Stephen Banghart <stephen.banghart@nist.gov>, Takahiro Kakumaru <kakumaru@nec.com>, Toby Considine <toby.considine@unc.edu>, Vasileios Mavroeidis <vasileim@ifi.uio.no>, Zachary Gorak <zgorak@everwatchsolutions.com> Subject: OpenC2 Working Mtg (1st Weds)
Hi there,
We are using an OpenC2 style format to express actions in the project that I am working on and I wanted to understand how to build a command that quarantines a file (identified by its sha256) on an endpoint (identified by its hostname). I have the file and the endpoint details and would like to capture all of them in the action. Below is what I have so far. I am struggling with how to include the details of the endpoint on which this action was taken.
"open_c2_coa": {
"action": {
"type": "deny"
},
"target": {
"type": "sha256",
"specifiers": " abcd1235"
"actuator": {
"type": "endpoint.server",
"specifiers": "Cisco Secure Endpoint"
"modifiers": {
"response": "failed" //captures the action response
}
Appreciate any pointers you can share.
From: calendar@lucidmeetings.com When: 8:00 AM - 9:00 AM September 4, 2024 Subject: OpenC2 Working Mtg (1st Weds) Location: Join the call using your web browser or SIP client, or dial-in: United States: 1 (415) 594-7873, United States: 1 (805) 309-5909, United States: 1 (415) 926-7799 ; Conference ID: 7061053 Your User ID: 430 ; https://meet.lucidmeetings.com/meeting_series/3449
Scheduling meetings for April - September 2024.
Or paste this link into your browser: https://meet.lucidmeetings.com/lucid/invite/3541261552143936
You received this email because David Lemire invited you to this meeting. If you believe this to be in error, please contact david.lemire@hii-tsd.com. For other questions, please contact support@lucidmeetings.com.
Download this meeting to add it to your calendar.
https://meet.lucidmeetings.com/lucid/invite/3541261552143936
You will need a modern browser and an internet connection to access the meeting. There is nothing to download or install. Test your system here.
Conference ID: 7061053; Your User ID: 430
Learn more at http://www.lucidmeetings.com/.
OASIS Open400 TradeCenter, Suite 5900Woburn, MA 01801USA
Phone+1 781 425 5073
Get Involved
Join an Open Project
Join a Technical Committee
About UsPrivacy