MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Update definition.json 

Found the issue and updated the playbook-id attribute. It is not required anymore. We should not dictate producers generating this property since it can be used to correlate playbooks. The use case is: If we have a cacao playbook attached then we could have the UUIDV4 extracted from the "attachment" and put at the MISP security-playbook object attribute "playbook-id". Correlation is enabled if another security playbook object follows the same process while attaching the same CACAO playbook. If the attached playbook is a png then there is no way to associate it again with another security playbook object that has the same png as an attachment as we cannot know that. That would be possible only if the attachment had a machine-readable identifier. Another use case is to generate a hash and attach it to a property, but let's leave that for the future and if it is never needed or appears as a use case. Long story short the pull request improves the semantics of the object and correlations of different security playbook objects :)
pull/369/head
Vasileios Mavroeidis 2022-08-24 18:44:11 +02:00 committed by GitHub
parent 66a9b8eee7
commit 2771e2681f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
objects/security-playbook/definition.json
View File

@ -53,7 +53,7 @@
"ui-priority": 1 "ui-priority": 1
}, },
"playbook-id": { "playbook-id": {
"description": "A value that uniquely identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value). If not, the producer MAY generate a unique identifier for the playbook.", "description": "A value that (uniquely) identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value) for correlation purposes.",
"disable_correlation": false, "disable_correlation": false,
"misp-attribute": "text", "misp-attribute": "text",
"ui-priority": 1 "ui-priority": 1
@ -134,9 +134,6 @@
"description": "The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.", "description": "The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.",
"meta-category": "misc", "meta-category": "misc",
"name": "security-playbook", "name": "security-playbook",
"required": [
"playbook-id"
],
"requiredOneOf": [ "requiredOneOf": [
"playbook-file", "playbook-file",
"playbook-base64" "playbook-base64"