OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

 View Only

  • 1.  Variable assignment and post processing

    Posted 05-27-2025 18:08
    All,

    I have been thinking a lot about this topic and how best to solve it. We know that we can now call multiple commands and can easily pass data from one command into the next. But what we do not yet have is a way to get data into a specific form / type for further processing.

    Example

    HTTP cmd1: Download STIX bundle, results are in uuid1.body:value
    SSH cmd2: Pass data to SSH command to extract ip address IOCs results in uud2.stdout:value

    Now, this is just a long list of data in a string. We probably need to get this into a variable of type list where the value is an ipv4-addr so that a future command can iterate over each entry in the list.

    I am thinking this should just be another command type.  

    Bret


  • 2.  RE: Variable assignment and post processing

    Posted 05-27-2025 20:53
    Bret et al - Ignoring CACAO for a second, how one would do this in a programming language is pass the output from the 1st command (e.g. HTTP in your example) to the 2nd command as input using a data processing step that manipulates the information into the correct representation required for the 2nd command.

    For me, this is what we had discussed as part of the variable assignment infrastructure we previously discussed and suggested where you could pass one variable content (containing the raw data) via a data processing step (sed, grep....etc) into another data format.

    This is also akin to command chaining that often can be seen in Unix command shells. 

    With all this said, don't we already have the ability to pass data via a variable to a command such as sed or grep or similar and then get the resultant output back from that command? 

    I would also argue this was exactly why we wanted to show an example of using a LLM to get results and then return the output in a subsequent desired output. We agreed on the call that LLM integration could be achieved by just sequencing the prompts and results to the LLM via HTTP use of the LLM API.

    So I'm not sure why you think we are missing a command type given this?

    I think it would be good to show examples of this in the spec but I don't think we need a new command.

    Allan

    On May 27, 2025, at 3:08 PM, Bret Jordan via OASIS <Mail@mail.groups.oasis-open.org> wrote:





    Original Message


  • 3.  RE: Variable assignment and post processing

    Posted 05-28-2025 11:07
    The problem is not passing data from one command to the next. That works with the new design we have. The problem is taking output from the parsing command that comes in the form of STDOUT that is of type string and put it into a variable of type list so that a future foreach command can process that list. Here is a real example:

    {
      "type": "playbook",
      "spec_version": "cacao-3.0",
      "id": "playbook--cfa3e792-c401-4f14-9ad5-6c67c110eb1f",
      "playbook_processing_summary": {},
      "workflow": {
        "action--6b3eab7d-a04e-4589-9ad4-5980c5012ef1": {
          "type": "action",
          "name": "Action Step IOC Example",
          "description": "Example of an action step to process IOCs from STIX Bundle.",
          "commands": [
            {
              "type": "http",
              "id": "http--774fde64-1264-4612-8399-6ca6a2686d9f",
              "description": "Get STIX bundle from a TAXII server.",
              "command": "GET /api1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/objects/ HTTP/1.1",
              "headers": {
                "Accept": [
                  "application/taxii+json;version=2.1"
                ],
                "Host": [
                  "example.com"
                ],
                "User-Agent": [
                  "Mozilla/5.0 (Windows NT 10.0; WOW64) Chrome/109.0.0.0 Safari/537.36"
                ]
              }
            },
            {
              "type": "ssh",
              "id": "ssh--d4e74a0e-a3b5-47df-853e-66c11cfcc7c8",
              "description": "Parse STIX bundle to get just list of IP addresses",
              "command": "parse_bundle.sh -f __http--774fde64-1264-4612-8399-6ca6a2686d9f.body__:value"
            }
          ]
        }
      }
    }

    Now the question is, how do I take the data from the SSH command that can be accessed via the following dynamic variable that is of type string:

    __ssh--d4e74a0e-a3b5-47df-853e-66c11cfcc7c8.stdout__:value

    and put that into a variable in CACAO that is of type list so that it can be used by a foreach statement later? We currently have no way to say that a command will return a different type or have a way of passing a variable to a command to have it populate it. 

    I hope this helps clear up where I am stuck.

    Bret




    On Tue, May 27, 2025 at 6:52 PM Allan Thomson via OASIS <Mail@mail.groups.oasis-open.org> wrote:
    Bret et al - Ignoring CACAO for a second, how one would do this in a programming language is pass the output from the 1st command (e.g. HTTP in... -posted to the "OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security" community

    OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

    Post New Message
    Re: Variable assignment and post processing
    Reply to Group Reply to Sender via Email
    May 27, 2025 8:53 PM
    Allan Thomson
    Bret et al - Ignoring CACAO for a second, how one would do this in a programming language is pass the output from the 1st command (e.g. HTTP in your example) to the 2nd command as input using a data processing step that manipulates the information into the correct representation required for the 2nd command.

    For me, this is what we had discussed as part of the variable assignment infrastructure we previously discussed and suggested where you could pass one variable content (containing the raw data) via a data processing step (sed, grep....etc) into another data format.

    This is also akin to command chaining that often can be seen in Unix command shells. 

    With all this said, don't we already have the ability to pass data via a variable to a command such as sed or grep or similar and then get the resultant output back from that command? 

    I would also argue this was exactly why we wanted to show an example of using a LLM to get results and then return the output in a subsequent desired output. We agreed on the call that LLM integration could be achieved by just sequencing the prompts and results to the LLM via HTTP use of the LLM API.

    So I'm not sure why you think we are missing a command type given this?

    I think it would be good to show examples of this in the spec but I don't think we need a new command.

    Allan

    On May 27, 2025, at 3:08 PM, Bret Jordan via OASIS <Mail@mail.groups.oasis-open.org> wrote:
      Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward  

    Original Message



     
    You are subscribed to "OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu" as bret.jordan.sdo@gmail.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.



    Original Message:
    Sent: 5/27/2025 8:53:00 PM
    From: Allan Thomson
    Subject: RE: Variable assignment and post processing

    Bret et al - Ignoring CACAO for a second, how one would do this in a programming language is pass the output from the 1st command (e.g. HTTP in your example) to the 2nd command as input using a data processing step that manipulates the information into the correct representation required for the 2nd command.

    For me, this is what we had discussed as part of the variable assignment infrastructure we previously discussed and suggested where you could pass one variable content (containing the raw data) via a data processing step (sed, grep....etc) into another data format.

    This is also akin to command chaining that often can be seen in Unix command shells. 

    With all this said, don't we already have the ability to pass data via a variable to a command such as sed or grep or similar and then get the resultant output back from that command? 

    I would also argue this was exactly why we wanted to show an example of using a LLM to get results and then return the output in a subsequent desired output. We agreed on the call that LLM integration could be achieved by just sequencing the prompts and results to the LLM via HTTP use of the LLM API.

    So I'm not sure why you think we are missing a command type given this?

    I think it would be good to show examples of this in the spec but I don't think we need a new command.

    Allan

    On May 27, 2025, at 3:08 PM, Bret Jordan via OASIS <Mail@mail.groups.oasis-open.org> wrote:






  • 4.  RE: Variable assignment and post processing

    Posted 05-28-2025 13:35
    Got it.

    Programming languages have type casting for this purpose. I prefer explicit type casting rather than implicit to avoid any ambiguity or unintended outcomes.

    For example, python (or pick your favorite programming language) has the following list of explicit type conversion methods:

    Explicit Type Casting
    Explicit type casting, also known as type casting, requires the programmer to manually convert a data type using built-in functions. This is useful when you need a variable to be of a specific type for further operations.
    • int(): Converts a value to an integer.
    • float(): Converts a value to a floating-point number.
    • str(): Converts a value to a string.
    • bool(): Converts a value to a boolean.
    • list()tuple()set()dict(): Convert to list, tuple, set, and dictionary types, respectively.
    Examples:

    a = "123"b = int(a) # convert string to integerprint(b)print(type(b))c = 3.14d = int(c) # convert float to integer (truncates decimal part)print(d)print(type(d))e = 42f = str(e) # convert integer to stringprint(f)print(type(f))g = 0h = bool(g) # convert integer to booleanprint(h)print(type(h))

    So I would suggest rather than introducing a new command per se I would add explicit type conversion methods supported by CACAO natively that an orchestration system would be required to support type conversion of variables if used in a playbook.

    So for your problem example.....

    __ssh--d4e74a0e-a3b5-47df-853e-66c11cfcc7c8.stdout__:list(value)

    Or similar syntax to indicate you are taking the value of the stdout from ssh and returning a list converted from the string.

    Regards

    Allan

    On May 28, 2025, at 8:07 AM, Bret Jordan via OASIS <Mail@mail.groups.oasis-open.org> wrote:





    Original Message


  • 5.  RE: Variable assignment and post processing

    Posted 05-28-2025 14:16
    That is a good idea. I do not think we would want to try and cast the data into the dynamic variable as that is a defined type. But I think this would work into a new variable. Maybe something like:

    {
      "type": "playbook",
      "spec_version": "cacao-3.0",
      "id": "playbook--cfa3e792-c401-4f14-9ad5-6c67c110eb1f",
      "playbook_processing_summary": {},
      "workflow": {
        "action--6b3eab7d-a04e-4589-9ad4-5980c5012ef1": {
          "type": "action",
          "name": "Action Step IOC Example",
          "description": "Example of an action step to process IOCs from STIX Bundle.",
          "commands": [
            {
              "type": "http",
              "id": "http--774fde64-1264-4612-8399-6ca6a2686d9f",
              "description": "Get STIX bundle from a TAXII server.",
              "command": "GET /api1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/objects/ HTTP/1.1",
              "headers": {
                "Accept": [
                  "application/taxii+json;version=2.1"
                ],
                "Host": [
                  "example.com"
                ],
                "User-Agent": [
                  "Mozilla/5.0 (Windows NT 10.0; WOW64) Chrome/109.0.0.0 Safari/537.36"
                ]
              }
            },
            {
              "type": "ssh",
              "id": "ssh--d4e74a0e-a3b5-47df-853e-66c11cfcc7c8",
              "description": "Parse STIX bundle to get just list of IP addresses",
              "command": "parse_bundle.sh -f __http--774fde64-1264-4612-8399-6ca6a2686d9f.body__:value"
            },
            {
              "type": "assignment",
              "id": "assignment--d4e74a0e-a3b5-47df-853e-66c11cfcc7c8",
              "description": "Convert and map data into a new variable.",
              "variable_assignments": [
                "name": "__new_variable_list_of_ip_addresses__",
                "data":  "__ssh--d4e74a0e-a3b5-47df-853e-66c11cfcc7c8.stdout__:value",
                "modifier": "convert_to_list"
              ]
            }
          ]
        }
      }
    }

    This would then let you use this new variable in your foreach statement as:

    __new_variable_list_of_ip_addresses__:value

    So this does have a new command type, one called assignment. This does two things. 
    1. It solves the type casting problem (but we need a list of all of the types of type casting we want to support)
    2. Provides a solution if you want or need to map the data in a dynamic variable to a different variable name or to a global variable.

    Thoughts? Other ideas?

    Bret





    On Wed, May 28, 2025 at 11:34 AM Allan Thomson via OASIS <Mail@mail.groups.oasis-open.org> wrote:
    Got it. Programming languages have type casting for this purpose. I prefer explicit type casting rather than implicit to avoid any ambiguity or... -posted to the "OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security" community

    OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

    Post New Message
    Re: Variable assignment and post processing
    Reply to Group Reply to Sender via Email
    May 28, 2025 1:35 PM
    Allan Thomson
    Got it.

    Programming languages have type casting for this purpose. I prefer explicit type casting rather than implicit to avoid any ambiguity or unintended outcomes.

    For example, python (or pick your favorite programming language) has the following list of explicit type conversion methods:

    Explicit Type Casting
    Explicit type casting, also known as type casting, requires the programmer to manually convert a data type using built-in functions. This is useful when you need a variable to be of a specific type for further operations.
    • int(): Converts a value to an integer.
    • float(): Converts a value to a floating-point number.
    • str(): Converts a value to a string.
    • bool(): Converts a value to a boolean.
    • list()tuple()set()dict(): Convert to list, tuple, set, and dictionary types, respectively.
    Examples:

    a = "123"b = int(a) # convert string to integerprint(b)print(type(b))c = 3.14d = int(c) # convert float to integer (truncates decimal part)print(d)print(type(d))e = 42f = str(e) # convert integer to stringprint(f)print(type(f))g = 0h = bool(g) # convert integer to booleanprint(h)print(type(h))

    So I would suggest rather than introducing a new command per se I would add explicit type conversion methods supported by CACAO natively that an orchestration system would be required to support type conversion of variables if used in a playbook.

    So for your problem example.....

    __ssh--d4e74a0e-a3b5-47df-853e-66c11cfcc7c8.stdout__:list(value)

    Or similar syntax to indicate you are taking the value of the stdout from ssh and returning a list converted from the string.

    Regards

    Allan

    On May 28, 2025, at 8:07 AM, Bret Jordan via OASIS <Mail@mail.groups.oasis-open.org> wrote:
      Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward  

    Original Message



    Original Message:
    Sent: 5/28/2025 1:35:00 PM
    From: Allan Thomson
    Subject: RE: Variable assignment and post processing

    Got it.

    Programming languages have type casting for this purpose. I prefer explicit type casting rather than implicit to avoid any ambiguity or unintended outcomes.

    For example, python (or pick your favorite programming language) has the following list of explicit type conversion methods:

    Explicit Type Casting
    Explicit type casting, also known as type casting, requires the programmer to manually convert a data type using built-in functions. This is useful when you need a variable to be of a specific type for further operations.
    • int(): Converts a value to an integer.
    • float(): Converts a value to a floating-point number.
    • str(): Converts a value to a string.
    • bool(): Converts a value to a boolean.
    • list()tuple()set()dict(): Convert to list, tuple, set, and dictionary types, respectively.
    Examples:

    a = "123"b = int(a) # convert string to integerprint(b)print(type(b))c = 3.14d = int(c) # convert float to integer (truncates decimal part)print(d)print(type(d))e = 42f = str(e) # convert integer to stringprint(f)print(type(f))g = 0h = bool(g) # convert integer to booleanprint(h)print(type(h))

    So I would suggest rather than introducing a new command per se I would add explicit type conversion methods supported by CACAO natively that an orchestration system would be required to support type conversion of variables if used in a playbook.

    So for your problem example.....

    __ssh--d4e74a0e-a3b5-47df-853e-66c11cfcc7c8.stdout__:list(value)

    Or similar syntax to indicate you are taking the value of the stdout from ssh and returning a list converted from the string.

    Regards

    Allan

    On May 28, 2025, at 8:07 AM, Bret Jordan via OASIS <Mail@mail.groups.oasis-open.org> wrote:





    Original Message:
    Sent: 5/28/2025 11:07:00 AM
    From: Bret Jordan
    Subject: RE: Variable assignment and post processing

    The problem is not passing data from one command to the next. That works with the new design we have. The problem is taking output from the parsing command that comes in the form of STDOUT that is of type string and put it into a variable of type list so that a future foreach command can process that list. Here is a real example:

    {
      "type": "playbook",
      "spec_version": "cacao-3.0",
      "id": "playbook--cfa3e792-c401-4f14-9ad5-6c67c110eb1f",
      "playbook_processing_summary": {},
      "workflow": {
        "action--6b3eab7d-a04e-4589-9ad4-5980c5012ef1": {
          "type": "action",
          "name": "Action Step IOC Example",
          "description": "Example of an action step to process IOCs from STIX Bundle.",
          "commands": [
            {
              "type": "http",
              "id": "http--774fde64-1264-4612-8399-6ca6a2686d9f",
              "description": "Get STIX bundle from a TAXII server.",
              "command": "GET /api1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/objects/ HTTP/1.1",
              "headers": {
                "Accept": [
                  "application/taxii+json;version=2.1"
                ],
                "Host": [
                  "example.com"
                ],
                "User-Agent": [
                  "Mozilla/5.0 (Windows NT 10.0; WOW64) Chrome/109.0.0.0 Safari/537.36"
                ]
              }
            },
            {
              "type": "ssh",
              "id": "ssh--d4e74a0e-a3b5-47df-853e-66c11cfcc7c8",
              "description": "Parse STIX bundle to get just list of IP addresses",
              "command": "parse_bundle.sh -f __http--774fde64-1264-4612-8399-6ca6a2686d9f.body__:value"
            }
          ]
        }
      }
    }

    Now the question is, how do I take the data from the SSH command that can be accessed via the following dynamic variable that is of type string:

    __ssh--d4e74a0e-a3b5-47df-853e-66c11cfcc7c8.stdout__:value

    and put that into a variable in CACAO that is of type list so that it can be used by a foreach statement later? We currently have no way to say that a command will return a different type or have a way of passing a variable to a command to have it populate it. 

    I hope this helps clear up where I am stuck.

    Bret




    On Tue, May 27, 2025 at 6:52 PM Allan Thomson via OASIS <Mail@mail.groups.oasis-open.org> wrote:
    Bret et al - Ignoring CACAO for a second, how one would do this in a programming language is pass the output from the 1st command (e.g. HTTP in... -posted to the "OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security" community

    OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

    Post New Message
    Re: Variable assignment and post processing
    Reply to Group Reply to Sender via Email
    May 27, 2025 8:53 PM
    Allan Thomson
    Bret et al - Ignoring CACAO for a second, how one would do this in a programming language is pass the output from the 1st command (e.g. HTTP in your example) to the 2nd command as input using a data processing step that manipulates the information into the correct representation required for the 2nd command.

    For me, this is what we had discussed as part of the variable assignment infrastructure we previously discussed and suggested where you could pass one variable content (containing the raw data) via a data processing step (sed, grep....etc) into another data format.

    This is also akin to command chaining that often can be seen in Unix command shells. 

    With all this said, don't we already have the ability to pass data via a variable to a command such as sed or grep or similar and then get the resultant output back from that command? 

    I would also argue this was exactly why we wanted to show an example of using a LLM to get results and then return the output in a subsequent desired output. We agreed on the call that LLM integration could be achieved by just sequencing the prompts and results to the LLM via HTTP use of the LLM API.

    So I'm not sure why you think we are missing a command type given this?

    I think it would be good to show examples of this in the spec but I don't think we need a new command.

    Allan

    On May 27, 2025, at 3:08 PM, Bret Jordan via OASIS <Mail@mail.groups.oasis-open.org> wrote:
      Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward  

    Original Message:
    Sent: 5/27/2025 6:08:00 PM



     
    You are subscribed to "OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu" as bret.jordan.sdo@gmail.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.




  • 6.  RE: Variable assignment and post processing

    Posted 05-28-2025 14:26
    Again I'm thinking about how this impacts playbook creators and the number of steps they have to do to create playbooks. 

    By introducing this assignment step you are forcing a programmer to introduce a new variable to handle the new type (output from the conversion) for no good reason. 

    If you want a variable to be a list then being able to define an easy conversion from the output of a command into that variable directly using a native operator method is the most optimal and will make it much easier for programmers to do what they want quickly.

    Otherwise programmers have to define one variable to handle the original returned string (or original type) and then introduce a new variable for the resultant converted type (e.g. list or bool or whatever).

    This is verbose and unnecessary if CACAO just allowed native type conversation on command values as I had proposed in my 1st email.

    We need to make sure its easy to use for programmers defining playbooks.

    Allan

    On May 28, 2025, at 11:15 AM, Bret Jordan via OASIS <Mail@mail.groups.oasis-open.org> wrote:

    That is a good idea. I do not think we would want to try and cast the data into the dynamic variable as that is a defined type. But I think this... -posted to the "OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security" community




    Original Message


Related Content