All,
I have been thinking about the problem of needing to do preprocessing of data before it can be assigned to a variable in CACAO.
Meaning, you run a command and it returns a STIX Bundle but all I really care about out of this STIX Bundle is a list of IP addresses that are indicators of some botnet. How do I encode that in my playbook.
Well right now, you cannot. But it seems like we should have a way of doing this. This is also an issue that Luca has brought forth. I think there are a lot of options here. One is to have a registry of modules that can do the translation. Basically take a certain type of input and spit out something that you can use.
I really worry about trying to build a lot of complicated functionality into the spec as I worry that it may make things really brittle. But if there was a module repository, maybe that could be really helpful. Dunno. Maybe this is not a good idea. But I am trying to bounce around different solutions for how to address this.
Bret