Merge pull request #272 from DCSO/courseofaction-nodiscover

Add 'course-of-action:passive=nodiscover'
pull/273/head
Alexandre Dulaunoy 2024-02-07 06:36:57 +01:00 committed by GitHub
commit 6b593ea8c1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 5 additions and 1 deletions

View File

@ -2,7 +2,7 @@
"namespace": "course-of-action", "namespace": "course-of-action",
"expanded": "Courses of Action", "expanded": "Courses of Action",
"description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.", "description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.",
"version": 2, "version": 3,
"predicates": [ "predicates": [
{ {
"value": "passive", "value": "passive",
@ -21,6 +21,10 @@
"value": "discover", "value": "discover",
"expanded": "The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past." "expanded": "The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past."
}, },
{
"value": "nodiscover",
"expanded": "The no-discover action is a negation of discover in case you want to explicit prohibit 'historical look at the data'. The goal is to exclude a specific indicator from searches of historical data."
},
{ {
"value": "detect", "value": "detect",
"expanded": "The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered." "expanded": "The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered."