From 0c54a39d376febd9c185a69b3d377a80505a42e2 Mon Sep 17 00:00:00 2001 From: Vasileios Mavroeidis <29202434+Vasileios-Mavroeidis@users.noreply.github.com> Date: Wed, 18 May 2022 13:56:59 +0200 Subject: [PATCH 1/2] Update definition.json The PR updates the security playbook object with improved semantics based on feedback we have received. The updated template has "one-to-one" mapping with the available STIX 2.1 ad-hoc extension for the COA SDO available here: https://github.com/fovea-research/stix2.1-coa-playbook-extension This research (updated version 3) was partially supported by the research projects CyberHunt (Grant No. 303585 - funded by the Research Council of Norway) and JCOP (Grant No. INEA/CEF/ICT/A2020/2373266 - funded by the European Health and Digital Executive Agency through the Connected Europe Facility program). --- objects/security-playbook/definition.json | 311 ++++++++++------------ 1 file changed, 134 insertions(+), 177 deletions(-) diff --git a/objects/security-playbook/definition.json b/objects/security-playbook/definition.json index c62b171..d3be4e0 100644 --- a/objects/security-playbook/definition.json +++ b/objects/security-playbook/definition.json @@ -1,189 +1,146 @@ { - "attributes": { - "created": { - "categories": [ - "Other" - ], - "description": "The time at which the playbook was originally created.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 + "attributes":{ + "description":{ + "description":"An explanation, details, and more context about what this playbook does and tries to accomplish.", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 }, - "creator": { - "categories": [ - "Other" - ], - "description": "The entity that created this playbook. It can be a natural person or an organization. It may be represented using an id that identifies the creator.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 + "playbook-id":{ + "description":"A value that uniquely identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value). If not, the producer MAY generate a unique identifier for the playbook.", + "disable_correlation":false, + "misp-attribute":"text", + "ui-priority":1 }, - "description": { - "categories": [ - "Other" - ], - "description": "More details, context, and possibly an explanation about what this playbook does and tries to accomplish.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, - "id": { - "categories": [ - "Other" - ], - "description": "A value that uniquely identifies the playbook.", - "disable_correlation": false, - "misp-attribute": "text", - "ui-priority": 1 - }, - "impact": { - "categories": [ - "Other" - ], - "description": "An integer that represents the impact the playbook has on the organization from 0 to 100. A value of 0 means specifically undefined. Values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive would have a low impact value of 1, whereas a playbook that performs changes such as adding rules into a firewall would have a higher impact value.", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 1 - }, - "label": { - "categories": [ - "Other" - ], - "description": "An optional set of terms, labels or tags associated with this playbook (e.g., aliases of adversary groups or operations that this playbook is related to).", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 1 - }, - "modified": { - "categories": [ - "Other" - ], - "description": "The time that this particular version of the playbook was last modified.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 - }, - "organization-type": { - "categories": [ - "Other" - ], - "description": "Type of an organization, that the playbook is intended for. This can be an industry sector.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, - "playbook": { - "categories": [ - "Payload delivery" - ], - "description": "The whole playbook in its native format (e.g., CACAO JSON). Producers and consumers of playbooks use this property to share and retrieve playbooks.", - "misp-attribute": "attachment", - "ui-priority": 1 - }, - "playbook-abstraction": { - "categories": [ - "Other" - ], - "description": "Identifies the level of completeness of the playbook.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1, - "values_list": [ - "guideline", - "playbook template", - "playbook", - "partial workflow", - "full workflow", - "fully scripted" - ] - }, - "playbook-standard": { - "categories": [ - "Other" - ], - "description": "Identification of the playbook standard.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, - "playbook-type": { - "categories": [ - "Other" - ], - "description": "The security operational functions the playbook addresses. A playbook may account for multiple types (e.g., detection, investigation).", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 1, - "values_list": [ - "notification playbook", - "detection playbook", - "investigation playbook", - "prevention playbook", - "mitigation playbook", - "remediation playbook", - "attack playbook" - ] - }, - "priority": { - "categories": [ - "Other" - ], - "description": "An integer that represents the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Values range from 1, the highest priority, to a value of 100, the lowest.", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 1 - }, - "revoked": { - "categories": [ - "Other" - ], - "description": "A boolean that identifies if the playbook creator deems that this playbook is no longer valid.", - "disable_correlation": true, - "misp-attribute": "boolean", - "sane_default": [ + "revoked":{ + "description":"A boolean that identifies if the playbook is no longer valid (revoked).", + "disable_correlation":true, + "misp-attribute":"boolean", + "sane_default":[ "True", "False" ], - "ui-priority": 1 + "ui-priority":1 }, - "severity": { - "categories": [ - "Other" - ], - "description": "A positive integer that represents the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Values range from 1, the lowest severity, to a value of 100, the highest.", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 1 + "playbook-type":{ + "description":"The security-related functions the playbook supports. A playbook may account for multiple types (e.g., detection and investigation). The listed options are based on the CACAO standard and NIST SP 800-61 rev2. Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation":true, + "misp-attribute":"text", + "multiple":true, + "ui-priority":1, + "values_list":[ + "notification", + "detection", + "investigation", + "prevention", + "mitigation", + "remediation", + "analysis", + "containment", + "eradication", + "recovery", + "attack" + ] }, - "valid-from": { - "categories": [ - "Other" - ], - "description": "The time from which the playbook is considered valid and the steps that it contains can be executed.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 + "organization-type":{ + "description":"The type of organization that the playbook is intended for. This can be an industry sector. Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation":true, + "misp-attribute":"text", + "multiple":true, + "ui-priority":1 }, - "valid-until": { - "categories": [ - "Other" - ], - "description": "The time at which this playbook should no longer be considered a valid playbook to be executed.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 + "labels":{ + "description":"Labels for this playbook (e.g., adversary persona names, associated groups, malware family/variant/name that this playbook is related to). Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation":true, + "misp-attribute":"text", + "multiple":true, + "ui-priority":1 + }, + "playbook-standard":{ + "description":"The standard/format/notation the playbook conforms to (e.g., CACAO, BPMN).", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 + }, + "playbook-abstraction":{ + "description":"The playbook’s level of abstraction (with regards to consumption).", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1, + "values_list":[ + "template", + "executable" + ] + }, + "playbook-creator":{ + "description":"The entity that created the playbook. It can be a natural person or an organization. It may be represented using a unique identifier that identifies the creator.", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 + }, + "playbook-creation-time":{ + "description":"The date and time at which the playbook was originally created.", + "disable_correlation":true, + "misp-attribute":"datetime", + "ui-priority":1 + }, + "playbook-modification-time":{ + "description":"The date and time at which the playbook was last modified.", + "disable_correlation":true, + "misp-attribute":"datetime", + "ui-priority":1 + }, + "playbook-impact":{ + "description":"From 0 to 100, a value representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Impact values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive could have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall should have a higher impact value.", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 + }, + "playbook-priority":{ + "description":"From 0 to 100, a value representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Priority values range from 1, the highest priority, to a value of 100, the lowest.", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 + }, + "playbook-severity":{ + "description":"From 0 to 100, a value representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Severity values range from 1, the lowest severity, to a value of 100, the highest.", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 + }, + "playbook-valid-from":{ + "description":"The date and time from which the playbook is considered valid and the steps that it contains can be executed.", + "disable_correlation":true, + "misp-attribute":"datetime", + "ui-priority":1 + }, + "playbook-valid-until":{ + "description":"The date and time from which the playbook should no longer be considered a valid playbook to be executed.", + "disable_correlation":true, + "misp-attribute":"datetime", + "ui-priority":1 + }, + "playbook-file":{ + "description":"The entire playbook file/document in its native format (e.g., CACAO JSON or BPMN).", + "misp-attribute":"attachment", + "ui-priority":1 + }, + "playbook-base64":{ + "description":"The entire playbook file/document encoded in base64.", + "misp-attribute":"text", + "ui-priority":1 } }, - "description": "An object to manage, represent, and share course of action playbooks (security playbooks) for cyberspace defense.", - "meta-category": "misc", - "name": "security-playbook", - "required": [ - "playbook", - "playbook-standard", - "playbook-type" + "description":"The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.", + "meta-category":"misc", + "name":"security-playbook", + "required":[ + "playbook-id" ], - "uuid": "48894c92-447b-4abe-b093-360c4d823e9d", - "version": 2 -} \ No newline at end of file + "requiredOneOf":[ + "playbook-file", + "playbook-base64" + ], + "uuid":"48894c92-447b-4abe-b093-360c4d823e9d", + "version":3 +} From ccd239bf6472a2572b110dea3a867fe883c96eaa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 18 May 2022 22:00:41 +0200 Subject: [PATCH 2/2] chg: [security-playbook] jq all the things --- objects/security-playbook/definition.json | 240 +++++++++++----------- 1 file changed, 120 insertions(+), 120 deletions(-) diff --git a/objects/security-playbook/definition.json b/objects/security-playbook/definition.json index d3be4e0..4175874 100644 --- a/objects/security-playbook/definition.json +++ b/objects/security-playbook/definition.json @@ -1,34 +1,100 @@ { - "attributes":{ - "description":{ - "description":"An explanation, details, and more context about what this playbook does and tries to accomplish.", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 + "attributes": { + "description": { + "description": "An explanation, details, and more context about what this playbook does and tries to accomplish.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 }, - "playbook-id":{ - "description":"A value that uniquely identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value). If not, the producer MAY generate a unique identifier for the playbook.", - "disable_correlation":false, - "misp-attribute":"text", - "ui-priority":1 + "labels": { + "description": "Labels for this playbook (e.g., adversary persona names, associated groups, malware family/variant/name that this playbook is related to). Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 }, - "revoked":{ - "description":"A boolean that identifies if the playbook is no longer valid (revoked).", - "disable_correlation":true, - "misp-attribute":"boolean", - "sane_default":[ - "True", - "False" - ], - "ui-priority":1 + "organization-type": { + "description": "The type of organization that the playbook is intended for. This can be an industry sector. Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 }, - "playbook-type":{ - "description":"The security-related functions the playbook supports. A playbook may account for multiple types (e.g., detection and investigation). The listed options are based on the CACAO standard and NIST SP 800-61 rev2. Another option is to use MISP tags, taxonomies, and galaxies.", - "disable_correlation":true, - "misp-attribute":"text", - "multiple":true, - "ui-priority":1, - "values_list":[ + "playbook-abstraction": { + "description": "The playbook’s level of abstraction (with regards to consumption).", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1, + "values_list": [ + "template", + "executable" + ] + }, + "playbook-base64": { + "description": "The entire playbook file/document encoded in base64.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-creation-time": { + "description": "The date and time at which the playbook was originally created.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "playbook-creator": { + "description": "The entity that created the playbook. It can be a natural person or an organization. It may be represented using a unique identifier that identifies the creator.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-file": { + "description": "The entire playbook file/document in its native format (e.g., CACAO JSON or BPMN).", + "misp-attribute": "attachment", + "ui-priority": 1 + }, + "playbook-id": { + "description": "A value that uniquely identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value). If not, the producer MAY generate a unique identifier for the playbook.", + "disable_correlation": false, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-impact": { + "description": "From 0 to 100, a value representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Impact values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive could have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall should have a higher impact value.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-modification-time": { + "description": "The date and time at which the playbook was last modified.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "playbook-priority": { + "description": "From 0 to 100, a value representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Priority values range from 1, the highest priority, to a value of 100, the lowest.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-severity": { + "description": "From 0 to 100, a value representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Severity values range from 1, the lowest severity, to a value of 100, the highest.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-standard": { + "description": "The standard/format/notation the playbook conforms to (e.g., CACAO, BPMN).", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-type": { + "description": "The security-related functions the playbook supports. A playbook may account for multiple types (e.g., detection and investigation). The listed options are based on the CACAO standard and NIST SP 800-61 rev2. Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1, + "values_list": [ "notification", "detection", "investigation", @@ -42,105 +108,39 @@ "attack" ] }, - "organization-type":{ - "description":"The type of organization that the playbook is intended for. This can be an industry sector. Another option is to use MISP tags, taxonomies, and galaxies.", - "disable_correlation":true, - "misp-attribute":"text", - "multiple":true, - "ui-priority":1 + "playbook-valid-from": { + "description": "The date and time from which the playbook is considered valid and the steps that it contains can be executed.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 }, - "labels":{ - "description":"Labels for this playbook (e.g., adversary persona names, associated groups, malware family/variant/name that this playbook is related to). Another option is to use MISP tags, taxonomies, and galaxies.", - "disable_correlation":true, - "misp-attribute":"text", - "multiple":true, - "ui-priority":1 + "playbook-valid-until": { + "description": "The date and time from which the playbook should no longer be considered a valid playbook to be executed.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 }, - "playbook-standard":{ - "description":"The standard/format/notation the playbook conforms to (e.g., CACAO, BPMN).", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 - }, - "playbook-abstraction":{ - "description":"The playbook’s level of abstraction (with regards to consumption).", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1, - "values_list":[ - "template", - "executable" - ] - }, - "playbook-creator":{ - "description":"The entity that created the playbook. It can be a natural person or an organization. It may be represented using a unique identifier that identifies the creator.", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 - }, - "playbook-creation-time":{ - "description":"The date and time at which the playbook was originally created.", - "disable_correlation":true, - "misp-attribute":"datetime", - "ui-priority":1 - }, - "playbook-modification-time":{ - "description":"The date and time at which the playbook was last modified.", - "disable_correlation":true, - "misp-attribute":"datetime", - "ui-priority":1 - }, - "playbook-impact":{ - "description":"From 0 to 100, a value representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Impact values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive could have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall should have a higher impact value.", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 - }, - "playbook-priority":{ - "description":"From 0 to 100, a value representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Priority values range from 1, the highest priority, to a value of 100, the lowest.", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 - }, - "playbook-severity":{ - "description":"From 0 to 100, a value representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Severity values range from 1, the lowest severity, to a value of 100, the highest.", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 - }, - "playbook-valid-from":{ - "description":"The date and time from which the playbook is considered valid and the steps that it contains can be executed.", - "disable_correlation":true, - "misp-attribute":"datetime", - "ui-priority":1 - }, - "playbook-valid-until":{ - "description":"The date and time from which the playbook should no longer be considered a valid playbook to be executed.", - "disable_correlation":true, - "misp-attribute":"datetime", - "ui-priority":1 - }, - "playbook-file":{ - "description":"The entire playbook file/document in its native format (e.g., CACAO JSON or BPMN).", - "misp-attribute":"attachment", - "ui-priority":1 - }, - "playbook-base64":{ - "description":"The entire playbook file/document encoded in base64.", - "misp-attribute":"text", - "ui-priority":1 + "revoked": { + "description": "A boolean that identifies if the playbook is no longer valid (revoked).", + "disable_correlation": true, + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 1 } }, - "description":"The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.", - "meta-category":"misc", - "name":"security-playbook", - "required":[ + "description": "The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.", + "meta-category": "misc", + "name": "security-playbook", + "required": [ "playbook-id" ], - "requiredOneOf":[ + "requiredOneOf": [ "playbook-file", "playbook-base64" ], - "uuid":"48894c92-447b-4abe-b093-360c4d823e9d", - "version":3 -} + "uuid": "48894c92-447b-4abe-b093-360c4d823e9d", + "version": 3 +} \ No newline at end of file