From 05873aefaf4bb9bca363164856b190a775995841 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 11 Apr 2018 16:48:05 +0200 Subject: [PATCH 1/2] Course of Action object --- objects/course-of-action/definition.json | 104 +++++++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 objects/course-of-action/definition.json diff --git a/objects/course-of-action/definition.json b/objects/course-of-action/definition.json new file mode 100644 index 0000000..ee5b157 --- /dev/null +++ b/objects/course-of-action/definition.json @@ -0,0 +1,104 @@ +{ + "requiredOneOf": [ + "name", + "type" + ], + "attributes": { + "name": { + "description": "The name used to identify the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "type": { + "description": "The type of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "Perimeter Blocking", + "Internal Blocking", + "Redirection", + "Redirection (Honey Pot)", + "Hardening", + "Patching", + "Eradication", + "Rebuilding", + "Training", + "Monitoring", + "Physical Access Restrictions", + "Logical Access Restrictions", + "Public Disclosure", + "Diplomatic Actions", + "Policy Actions", + "Other" + ] + }, + "description": { + "description": "A description of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "objective": { + "description": "The objective of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "stage": { + "description": "The stage of the threat management lifecycle that the course of action is applicable to.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "Remedy", + "Response" + ] + }, + "cost": { + "description": "The estimated cost of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + }, + "impact": { + "description": "The estimated impact of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + }, + "efficacy": { + "description": "The estimated efficacy of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + } + }, + "version": 1, + "description": "An object describing a specific measure taken to prevent or respond to an attack.", + "meta-category": "misc", + "uuid": "3d1c2c06-68a9-4394-8c8d-258d115f796f", + "name": "course-of-action" +} From aa9574cfa90d95e32d7b0abbe6e1ac6c4ad12e3f Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 11 Apr 2018 16:53:15 +0200 Subject: [PATCH 2/2] add: Course of action description added in readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1f2697e..7452306 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ for a specific attribute. * [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. +* [objects/course-of-action](objects/course-of-action/definition.json) - An object describing a Course of Action. * [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame.