I would go for âplaybook_activitiesâ.
âplaybook_characteristicsâ sounds/reads broader and could be used to accommodate more of the existing metadata.
The hybrid version looks good, but using it might be more challenging. I have the same opinion about mapping functionalities to specific types. A "mitigation playbook" may perform detection and investigation activities before executing the mitigation procedure,
but you may want to tag it only as âmitigation". A loose approach fits better, meaning the one already exists in the spec.
-Vasileios
On Nov 20, 2022, at 3:11 AM, Bret Jordan <
jordan.oasisopen@gmail.com> wrote:
So Question 1: Do we like combining these two properties together at the playbook level? Dez said she likes it. What about others?
- To be clear, I am not sure we would do this at the command level, but I would be open to ideas there.
Question 2: what about a name for that property? The three we have are:
playbook_activities (proposed by Allan in his document)
playbook_attributes
playbook_characteristics
If we do not combine them at the command level, we would still need a property name for it there.
Bret
On Sat, Nov 19, 2022 at 4:01 PM aa tt <
atcyber1000@gmail.com > wrote:
I had a proposal for a name in the metadata doc that was getting added.
Allan
On Nov 19, 2022, at 2:59 PM, Dr. Desiree A Beck <
dbeck@mitre.org > wrote:
ï
Bret,
I think this looks great. I think a dictionary works well and that itâs a good idea to tie together functionalities and types.
I agree that we might want to change the property nameâ I like âplaybook_characteristicsâ or maybe âplaybook_attributes.â
Dez
From:
cacao@lists.oasis-open.org <
cacao@lists.oasis-open.org >
On Behalf Of Bret Jordan
Sent: Saturday, November 19, 2022 10:22 AM
To:
cacao@lists.oasis-open.org Subject: [EXT] [cacao] Playbook Functionalities
All,
Based on the proposal from Marlon, that several people have supported we have the following:
playbook_types is optional with a normative SHOULD use
playbook_functionalities is optional with a normate SHOULD use & a normative MUST use if playbook_types is used.
This gives us potential of having something like:
{
"type": "playbook",
"spec_version": "cacao-1.1",
"id": "playbook--91220064-3c6f-4b58-99e9-196e64f9bde7",
"name": "Find Malware FuzzyPanda",
"description": "This playbook will look for FuzzyPanda on the network and in a SIEM",
"playbook_types": ["investigation", "detection"],
"playbook_functionalities": ["analyze-collected-data", "identify-indicators", "scan-system"],
....
}
I am wondering if playbook_types and playbook_functionalties should be combined to something like:
{
"type": "playbook",
"spec_version": "cacao-1.1",
"id": "playbook--91220064-3c6f-4b58-99e9-196e64f9bde7",
"name": "Find Malware FuzzyPanda",
"description": "This playbook will look for FuzzyPanda on the network and in a SIEM",
"playbook_types": {
"investigation": ["analyze-collected-data", "identify-indicators"],
"detection": ["scan-system"]
},
....
}
I basically changed playbook_types from a list to a dictionary. Would something like this help?
And if we do not like the playbook_types name with the combined data it could be changed to something else. Maybe characteristics or something. Dez, Rich, Marlon? Do we want to try and tie the functionalities to the type being used?
Bret