{ "attributes": { "description": { "description": "An explanation, details, and more context about what this playbook does and tries to accomplish.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, "labels": { "description": "Labels for this playbook (e.g., adversary persona names, associated groups, malware family/variant/name that this playbook is related to). Another option is to use MISP tags, taxonomies, and galaxies.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 1 }, "organization-type": { "description": "The type of organization that the playbook is intended for. This can be an industry sector. Another option is to use MISP tags, taxonomies, and galaxies.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 1 }, "playbook-abstraction": { "description": "The playbook’s level of abstraction (with regards to consumption).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1, "values_list": [ "template", "executable" ] }, "playbook-base64": { "description": "The entire playbook file/document encoded in base64.", "misp-attribute": "text", "ui-priority": 1 }, "playbook-creation-time": { "description": "The date and time at which the playbook was originally created.", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 1 }, "playbook-creator": { "description": "The entity that created the playbook. It can be a natural person or an organization. It may be represented using a unique identifier that identifies the creator.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, "playbook-file": { "description": "The entire playbook file/document in its native format (e.g., CACAO JSON or BPMN).", "misp-attribute": "attachment", "ui-priority": 1 }, "playbook-id": { "description": "A value that (uniquely) identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value) for correlation purposes.", "disable_correlation": false, "misp-attribute": "text", "ui-priority": 1 }, "playbook-impact": { "description": "From 0 to 100, a value representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Impact values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive could have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall should have a higher impact value.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, "playbook-modification-time": { "description": "The date and time at which the playbook was last modified.", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 1 }, "playbook-priority": { "description": "From 0 to 100, a value representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Priority values range from 1, the highest priority, to a value of 100, the lowest.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, "playbook-severity": { "description": "From 0 to 100, a value representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Severity values range from 1, the lowest severity, to a value of 100, the highest.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, "playbook-standard": { "description": "The standard/format/notation the playbook conforms to (e.g., CACAO, BPMN).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, "playbook-type": { "description": "The security-related functions the playbook supports. A playbook may account for multiple types (e.g., detection and investigation). The listed options are based on the CACAO standard and NIST SP 800-61 rev2. Another option is to use MISP tags, taxonomies, and galaxies.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 1, "values_list": [ "notification", "detection", "investigation", "prevention", "mitigation", "remediation", "analysis", "containment", "eradication", "recovery", "attack" ] }, "playbook-valid-from": { "description": "The date and time from which the playbook is considered valid and the steps that it contains can be executed.", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 1 }, "playbook-valid-until": { "description": "The date and time from which the playbook should no longer be considered a valid playbook to be executed.", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 1 }, "revoked": { "description": "A boolean that identifies if the playbook is no longer valid (revoked).", "disable_correlation": true, "misp-attribute": "boolean", "sane_default": [ "True", "False" ], "ui-priority": 1 } }, "description": "The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.", "meta-category": "misc", "name": "security-playbook", "requiredOneOf": [ "playbook-file", "playbook-base64" ], "uuid": "48894c92-447b-4abe-b093-360c4d823e9d", "version": 3 }