-
Notifications
You must be signed in to change notification settings - Fork 121
/
definition.json
143 lines (143 loc) · 5.96 KB
/
definition.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
{
"attributes": {
"description": {
"description": "An explanation, details, and more context about what this playbook does and tries to accomplish.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"labels": {
"description": "Labels for this playbook (e.g., adversary persona names, associated groups, malware family/variant/name that this playbook is related to). Another option is to use MISP tags, taxonomies, and galaxies.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 1
},
"organization-type": {
"description": "The type of organization that the playbook is intended for. This can be an industry sector. Another option is to use MISP tags, taxonomies, and galaxies.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 1
},
"playbook-abstraction": {
"description": "The playbook’s level of abstraction (with regards to consumption).",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1,
"values_list": [
"template",
"executable"
]
},
"playbook-base64": {
"description": "The entire playbook file/document encoded in base64.",
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-creation-time": {
"description": "The date and time at which the playbook was originally created.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"playbook-creator": {
"description": "The entity that created the playbook. It can be a natural person or an organization. It may be represented using a unique identifier that identifies the creator.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-file": {
"description": "The entire playbook file/document in its native format (e.g., CACAO JSON or BPMN).",
"misp-attribute": "attachment",
"ui-priority": 1
},
"playbook-id": {
"description": "A value that (uniquely) identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value) for correlation purposes.",
"disable_correlation": false,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-impact": {
"description": "From 0 to 100, a value representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Impact values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive could have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall should have a higher impact value.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-modification-time": {
"description": "The date and time at which the playbook was last modified.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"playbook-priority": {
"description": "From 0 to 100, a value representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Priority values range from 1, the highest priority, to a value of 100, the lowest.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-severity": {
"description": "From 0 to 100, a value representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Severity values range from 1, the lowest severity, to a value of 100, the highest.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-standard": {
"description": "The standard/format/notation the playbook conforms to (e.g., CACAO, BPMN).",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"playbook-type": {
"description": "The security-related functions the playbook supports. A playbook may account for multiple types (e.g., detection and investigation). The listed options are based on the CACAO standard and NIST SP 800-61 rev2. Another option is to use MISP tags, taxonomies, and galaxies.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 1,
"values_list": [
"notification",
"detection",
"investigation",
"prevention",
"mitigation",
"remediation",
"analysis",
"containment",
"eradication",
"recovery",
"attack"
]
},
"playbook-valid-from": {
"description": "The date and time from which the playbook is considered valid and the steps that it contains can be executed.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"playbook-valid-until": {
"description": "The date and time from which the playbook should no longer be considered a valid playbook to be executed.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"revoked": {
"description": "A boolean that identifies if the playbook is no longer valid (revoked).",
"disable_correlation": true,
"misp-attribute": "boolean",
"sane_default": [
"True",
"False"
],
"ui-priority": 1
}
},
"description": "The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.",
"meta-category": "misc",
"name": "security-playbook",
"requiredOneOf": [
"playbook-file",
"playbook-base64"
],
"uuid": "48894c92-447b-4abe-b093-360c4d823e9d",
"version": 3
}