diff --git a/README.md b/README.md index 1f2697e..7452306 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ for a specific attribute. * [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. +* [objects/course-of-action](objects/course-of-action/definition.json) - An object describing a Course of Action. * [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. diff --git a/objects/course-of-action/definition.json b/objects/course-of-action/definition.json new file mode 100644 index 0000000..ee5b157 --- /dev/null +++ b/objects/course-of-action/definition.json @@ -0,0 +1,104 @@ +{ + "requiredOneOf": [ + "name", + "type" + ], + "attributes": { + "name": { + "description": "The name used to identify the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "type": { + "description": "The type of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "Perimeter Blocking", + "Internal Blocking", + "Redirection", + "Redirection (Honey Pot)", + "Hardening", + "Patching", + "Eradication", + "Rebuilding", + "Training", + "Monitoring", + "Physical Access Restrictions", + "Logical Access Restrictions", + "Public Disclosure", + "Diplomatic Actions", + "Policy Actions", + "Other" + ] + }, + "description": { + "description": "A description of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "objective": { + "description": "The objective of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "stage": { + "description": "The stage of the threat management lifecycle that the course of action is applicable to.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "Remedy", + "Response" + ] + }, + "cost": { + "description": "The estimated cost of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + }, + "impact": { + "description": "The estimated impact of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + }, + "efficacy": { + "description": "The estimated efficacy of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + } + }, + "version": 1, + "description": "An object describing a specific measure taken to prevent or respond to an attack.", + "meta-category": "misc", + "uuid": "3d1c2c06-68a9-4394-8c8d-258d115f796f", + "name": "course-of-action" +}