misp-objects/objects/security-playbook/definition.json

143 lines
6.0 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"attributes": {
"description": {
"description": "An explanation, details, and more context about what this playbook does and tries to accomplish.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"labels": {
"description": "Labels for this playbook (e.g., adversary persona names, associated groups, malware family/variant/name that this playbook is related to). Another option is to use MISP tags, taxonomies, and galaxies.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 1
},
"organization-type": {
"description": "The type of organization that the playbook is intended for. This can be an industry sector. Another option is to use MISP tags, taxonomies, and galaxies.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 1
},
"playbook-abstraction": {
"description": "The playbooks level of abstraction (with regards to consumption).",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1,
"values_list": [
"template",
"executable"
]
},
"playbook-base64": {
"description": "The entire playbook file/document encoded in base64.",
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-creation-time": {
"description": "The date and time at which the playbook was originally created.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"playbook-creator": {
"description": "The entity that created the playbook. It can be a natural person or an organization. It may be represented using a unique identifier that identifies the creator.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-file": {
"description": "The entire playbook file/document in its native format (e.g., CACAO JSON or BPMN).",
"misp-attribute": "attachment",
"ui-priority": 1
},
"playbook-id": {
"description": "A value that (uniquely) identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value) for correlation purposes.",
"disable_correlation": false,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-impact": {
"description": "From 0 to 100, a value representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Impact values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive could have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall should have a higher impact value.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-modification-time": {
"description": "The date and time at which the playbook was last modified.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"playbook-priority": {
"description": "From 0 to 100, a value representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Priority values range from 1, the highest priority, to a value of 100, the lowest.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-severity": {
"description": "From 0 to 100, a value representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Severity values range from 1, the lowest severity, to a value of 100, the highest.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-standard": {
"description": "The standard/format/notation the playbook conforms to (e.g., CACAO, BPMN).",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-type": {
"description": "The security-related functions the playbook supports. A playbook may account for multiple types (e.g., detection and investigation). The listed options are based on the CACAO standard and NIST SP 800-61 rev2. Another option is to use MISP tags, taxonomies, and galaxies.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 1,
"values_list": [
"notification",
"detection",
"investigation",
"prevention",
"mitigation",
"remediation",
"analysis",
"containment",
"eradication",
"recovery",
"attack"
]
},
"playbook-valid-from": {
"description": "The date and time from which the playbook is considered valid and the steps that it contains can be executed.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"playbook-valid-until": {
"description": "The date and time from which the playbook should no longer be considered a valid playbook to be executed.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"revoked": {
"description": "A boolean that identifies if the playbook is no longer valid (revoked).",
"disable_correlation": true,
"misp-attribute": "boolean",
"sane_default": [
"True",
"False"
],
"ui-priority": 1
}
},
"description": "The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.",
"meta-category": "misc",
"name": "security-playbook",
"requiredOneOf": [
"playbook-file",
"playbook-base64"
],
"uuid": "48894c92-447b-4abe-b093-360c4d823e9d",
"version": 3
}