Added 'course-of-action:passive=nodiscover'

pull/272/head
Hendrik Baecker 2024-02-06 14:28:16 +01:00
parent 3d61b20e7e
commit 41e8bdc4f3
1 changed files with 5 additions and 1 deletions

View File

@ -2,7 +2,7 @@
"namespace": "course-of-action", "namespace": "course-of-action",
"expanded": "Courses of Action", "expanded": "Courses of Action",
"description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.", "description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.",
"version": 2, "version": 3,
"predicates": [ "predicates": [
{ {
"value": "passive", "value": "passive",
@ -21,6 +21,10 @@
"value": "discover", "value": "discover",
"expanded": "The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past." "expanded": "The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past."
}, },
{
"value": "nodiscover",
"expanded": "The no-discover action is a negation of discover in case you want to explicit prohibit 'historical look at the data'. The goal is to exclude a specific indicator from searches of historical data."
},
{ {
"value": "detect", "value": "detect",
"expanded": "The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered." "expanded": "The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered."