You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Any plans for suggested actions in the schema?
I know it's pretty broad and environment dependent but it could be an interesting optional field
for example
retrieve executable on lnx_buffer_overflows and validate hash against VT/MHR
retrieve process tree
dump full memory
kill process
change network vlan or any other containment actions
Depending on implementation, it could be leveraged to automate part of the incident response with tools like ansible, puppet & co
Also LimaCharlie (https://github.com/refractionPOINT/limacharlie) is doing automated response based on python
kind of related to CoA mentionned on MISP project perspective issue.
Thanks a lot for this great contribution!
The text was updated successfully, but these errors were encountered:
We would keep the Sigma core format focused and therefore don't plan such an extension. But feel free to extend your Sigma rules with additional fields, the tools from this repository only care about defined fields and ignore custom ones.
Hello,
Any plans for suggested actions in the schema?
I know it's pretty broad and environment dependent but it could be an interesting optional field
for example
Depending on implementation, it could be leveraged to automate part of the incident response with tools like ansible, puppet & co
Also LimaCharlie (https://github.com/refractionPOINT/limacharlie) is doing automated response based on python
kind of related to CoA mentionned on MISP project perspective issue.
Thanks a lot for this great contribution!
The text was updated successfully, but these errors were encountered: