-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Draft] Remediation Category and Events #818
Conversation
TODO: Move startup_app to the macos extension
Cleaned up descriptions
Recommend distinguishing between remediation actions since they could be quite varied. In D3FEND we define Evict, Restore, and Isolate. You could argue even Hardening could be a remediation. |
Adding in some of the conversation from OCSF slack for posterity: I think that having Category names being "X Remediation" is not specific enough. For example, our (current) full taxonomy of defensive techniques looks like this:
|
This is a major change, adding a new category. The activities are modeled as results or status, so that needs to be reworked. There are also many discrete events, for each item being targeted. There should be a more efficient way of modeling remediation. Finally, staying true to #d3fend is highly desirable, but without duplicating/mirroring the "defensive techniques" but rather referencing them in the way we have done with ATT&CK. As part of this exercise, the associations of OCSF Objects and d3fend Artifacts becomes more important. |
Closing PR; This was taken forward by Paul in #1066 |
Adding events to model remediation of entities on Windows/Linux/MacOS:
These events report the status of remediation attempts (commands) on the defined target entities.
Windows/Mac specific items were added as extensions for the OS.
Note: There is one todo in this draft : move the startup application into the MacOS profile being added as part of the Discovery events pr.
Windows specific entities:
Registry Value
Registry Key
MacOS specific entities:
Startup Application
OS agnostic entities:
File
Folder
Job
Module
Network Connection
Process
Service
User Session
Other:
Unsuccessful Remediation : result document (event) that captures when a remediation attempt failed