{
  "namespace": "coa",
  "description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack.",
  "version": 2,
  "predicates": [
    {
      "value": "discover",
      "expanded": "Search historical data for an indicator."
    },
    {
      "value": "detect",
      "expanded": "Set up a detection rule for an indicator for future alerting."
    },
    {
      "value": "deny",
      "expanded": "Prevent an event from taking place."
    },
    {
      "value": "disrupt",
      "expanded": "Make an event fail when it is taking place."
    },
    {
      "value": "degrade",
      "expanded": "Slow down attacker activity; reduce attacker efficiency."
    },
    {
      "value": "deceive",
      "expanded": "Pretend only that an action was successful or provide misinformation to the attacker."
    },
    {
      "value": "destroy",
      "expanded": "Offensive action against the attacker."
    }
  ],
  "values": [
    {
      "predicate": "discover",
      "entry": [
        {
          "value": "proxy",
          "expanded": "Searched historical proxy logs.",
          "colour": "#005065"
        },
        {
          "value": "ids",
          "expanded": "Searched historical IDS logs.",
          "colour": "#00586f"
        },
        {
          "value": "firewall",
          "expanded": "Searched historical firewall logs.",
          "colour": "#005f78"
        },
        {
          "value": "pcap",
          "expanded": "Discovered in packet-capture logs",
          "colour": "#006681"
        },
        {
          "value": "remote-access",
          "expanded": "Searched historical remote access logs.",
          "colour": "#006e8b"
        },
        {
          "value": "authentication",
          "expanded": "Searched historical authentication logs.",
          "colour": "#007594"
        },
        {
          "value": "honeypot",
          "expanded": "Searched historical honeypot data.",
          "colour": "#007c9d"
        },
        {
          "value": "syslog",
          "expanded": "Searched historical system logs.",
          "colour": "#0084a6"
        },
        {
          "value": "web",
          "expanded": "Searched historical WAF and web application logs.",
          "colour": "#008bb0"
        },
        {
          "value": "database",
          "expanded": "Searched historcial database logs.",
          "colour": "#0092b9"
        },
        {
          "value": "mail",
          "expanded": "Searched historical mail logs.",
          "colour": "#009ac2"
        },
        {
          "value": "antivirus",
          "expanded": "Searched historical antivirus alerts.",
          "colour": "#00a1cb"
        },
        {
          "value": "malware-collection",
          "expanded": "Retro hunted in a malware collection.",
          "colour": "#00a8d5"
        },
        {
          "value": "other",
          "expanded": "Searched other historical data.",
          "colour": "#00b0de"
        },
        {
          "value": "unspecified",
          "expanded": "Unspecified information.",
          "colour": "#00b7e7"
        }
      ]
    },
    {
      "predicate": "detect",
      "entry": [
        {
          "value": "proxy",
          "expanded": "Detect by Proxy infrastructure",
          "colour": "#0abdeb"
        },
        {
          "value": "nids",
          "expanded": "Detect by Network Intrusion detection system.",
          "colour": "#13c5f4"
        },
        {
          "value": "hids",
          "expanded": "Detect by Host Intrusion detection system.",
          "colour": "#24c9f5"
        },
        {
          "value": "other",
          "expanded": "Detect by other tools.",
          "colour": "#35cef5"
        },
        {
          "value": "syslog",
          "expanded": "Detect in system logs.",
          "colour": "#45d2f6"
        },
        {
          "value": "firewall",
          "expanded": "Detect by firewall.",
          "colour": "#56d6f7"
        },
        {
          "value": "email",
          "expanded": "Detect by MTA.",
          "colour": "#67daf8"
        },
        {
          "value": "web",
          "expanded": "Detect by web infrastructure including WAF.",
          "colour": "#78def8"
        },
        {
          "value": "database",
          "expanded": "Detect in database.",
          "colour": "#89e2f9"
        },
        {
          "value": "remote-access",
          "expanded": "Detect in remote-access logs.",
          "colour": "#9ae6fa"
        },
        {
          "value": "malware-collection",
          "expanded": "Detect in malware-collection.",
          "colour": "#aaeafb"
        },
        {
          "value": "antivirus",
          "expanded": "Detect with antivirus.",
          "colour": "#bbeefb"
        },
        {
          "value": "unspecified",
          "expanded": "Unspecified information.",
          "colour": "#ccf2fc"
        }
      ]
    },
    {
      "predicate": "deny",
      "entry": [
        {
          "value": "proxy",
          "expanded": "Implemented a proxy filter.",
          "colour": "#f09105"
        },
        {
          "value": "firewall",
          "expanded": "Implemented a block rule on a firewall.",
          "colour": "#f99a0e"
        },
        {
          "value": "waf",
          "expanded": "Implemented a block rule on a web application firewall.",
          "colour": "#f9a11f"
        },
        {
          "value": "email",
          "expanded": "Implemented a filter on a mail transfer agent.",
          "colour": "#faa830"
        },
        {
          "value": "chroot",
          "expanded": "Implemented a chroot jail.",
          "colour": "#faaf41"
        },
        {
          "value": "remote-access",
          "expanded": "Blocked an account for remote access.",
          "colour": "#fbb653"
        },
        {
          "value": "other",
          "expanded": "Denied an action by other means.",
          "colour": "#fbbe64"
        },
        {
          "value": "unspecified",
          "expanded": "Unspecified information.",
          "colour": "#fbc575"
        }
      ]
    },
    {
      "predicate": "disrupt",
      "entry": [
        {
          "value": "nips",
          "expanded": "Implemented a rule on a network IPS.",
          "colour": "#660389"
        },
        {
          "value": "hips",
          "expanded": "Implemented a rule on a host-based IPS.",
          "colour": "#73039a"
        },
        {
          "value": "other",
          "expanded": "Disrupted an action by other means.",
          "colour": "#8003ab"
        },
        {
          "value": "email",
          "expanded": "Quarantined an email.",
          "colour": "#8d04bd"
        },
        {
          "value": "memory-protection",
          "expanded": "Implemented memory protection like DEP and/or ASLR.",
          "colour": "#9a04ce"
        },
        {
          "value": "sandboxing",
          "expanded": "Exploded in a sandbox.",
          "colour": "#a605df"
        },
        {
          "value": "antivirus",
          "expanded": "Activated an antivirus signature.",
          "colour": "#b305f0"
        },
        {
          "value": "unspecified",
          "expanded": "Unspecified information.",
          "colour": "#bc0ef9"
        }
      ]
    },
    {
      "predicate": "degrade",
      "entry": [
        {
          "value": "bandwidth",
          "expanded": "Throttled the bandwidth.",
          "colour": "#0421ce"
        },
        {
          "value": "tarpit",
          "expanded": "Implement a network tarpit.",
          "colour": "#0523df"
        },
        {
          "value": "other",
          "expanded": "Degraded an action by other means.",
          "colour": "#0526f0"
        },
        {
          "value": "email",
          "expanded": "Queued an email.",
          "colour": "#0e2ff9"
        },
        {
          "value": "unspecified",
          "expanded": "Unspecified information.",
          "colour": "#1f3ef9"
        }
      ]
    },
    {
      "predicate": "deceive",
      "entry": [
        {
          "value": "honeypot",
          "expanded": "Implemented an interactive honeypot.",
          "colour": "#0eb274"
        },
        {
          "value": "DNS",
          "expanded": "Implemented DNS redirects, e.g. a response policy zone.",
          "colour": "#10c37f"
        },
        {
          "value": "other",
          "expanded": "Deceived the attacker with other technology.",
          "colour": "#11d389"
        },
        {
          "value": "email",
          "expanded": "Implemented email redirection.",
          "colour": "#12e394"
        },
        {
          "value": "unspecified",
          "expanded": "Unspecified information.",
          "colour": "#1bec9d"
        }
      ]
    },
    {
      "predicate": "destroy",
      "entry": [
        {
          "value": "arrest",
          "expanded": "Arrested the threat actor.",
          "colour": "#c33210"
        },
        {
          "value": "seize",
          "expanded": "Seized attacker infrastructure.",
          "colour": "#d33611"
        },
        {
          "value": "physical",
          "expanded": "Physically destroyed attacker hardware.",
          "colour": "#e33b12"
        },
        {
          "value": "dos",
          "expanded": "Performed a denial-of-service attack against attacker infrastructure.",
          "colour": "#ec441b"
        },
        {
          "value": "hack-back",
          "expanded": "Hack back against the threat actor.",
          "colour": "#ed512b"
        },
        {
          "value": "other",
          "expanded": "Carried out other offensive actions against the attacker.",
          "colour": "#ee5e3b"
        },
        {
          "value": "unspecified",
          "expanded": "Unspecified information.",
          "colour": "#f06c4c"
        }
      ]
    }
  ]
}