OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

I support this proposal. To several people’s point on default – I agree with the proposal that ‘is_executable’ default to false.   Getting into the subjective ‘which will occur more’ is both futurecasting as well as perspective. I do agree that, for the use cases I foresee, templates are the most likely playbook to be shared across org boundaries and between systems. But I think ‘false’ should be the default even if people think ‘executable’ playbooks are the more common case.   --  Duncan Sparrell sFractal Consulting iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at  http://vsre.info /       From: cacao@lists.oasis-open.org <cacao@lists.oasis-open.org> on behalf of Bret Jordan <jordan.oasisopen@gmail.com> Date: Wednesday, November 2, 2022 at 4:16 PM To: Mateusz Zych <mateusdz@ifi.uio.no> Cc: cacao@lists.oasis-open.org <cacao@lists.oasis-open.org> Subject: Re: [cacao] Playbook Types I support this proposal too. I think the majority will honestly be templates. So something like is_executable is probably correct and a default of false is probably good.    Bret     On Wed, Nov 2, 2022 at 2:29 PM Mateusz Zych < mateusdz@ifi.uio.no > wrote: Hi All,    I agree and support this proposal.    Best,  Mateusz Zych On 2 Nov 2022, at 16:52, aa tt < atcyber1000@gmail.com > wrote:   Rich et al - I’m supportive of this change provided the proposed text to explain the template concept vs executable is updated to describe the use of this new property.   I assume this property would be required (?) and therefore we should decide what the default value (false) would indicate. I suggest that the default value should be the likely majority playbook class/category.    So if most playbooks will be templates then is_executable would be a good name and default to false.   If most playbooks would be executable then is_template might be better to name the property and that way the default value of false would work nicely.   Allan   On Nov 2, 2022, at 6:47 AM, Rich Piazza < rpiazza@mitre.org > wrote:   Hi All,   On the working call yesterday there was a discussion about section 1.3 of the CACAO working document.  Some of the important points:   The difference between an executable playbook and a playbook template is mostly subjective.  There are suggestions to the text to help clarify this. There is no difference between an executable playbook and a playbook template in terms of their properties The term paybook class is confusing, since it is specified using the type property of a playbook.   A suggested proposal is to remove the concept of playbook classes, and replace it by a new Boolean property, maybe called “is_executable”, to differentiate between executable playbooks and playbook templates.                   Rich     -- Rich Piazza Lead Cyber Security Engineer The MITRE Corporation 781-271-3760 –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™