optional actions/CoA field?

[juju4]

Hello,

Any plans for suggested actions in the schema?
I know it's pretty broad and environment dependent but it could be an interesting optional field
for example

• retrieve executable on lnx_buffer_overflows and validate hash against VT/MHR
• retrieve process tree
• dump full memory
• kill process
• change network vlan or any other containment actions

Depending on implementation, it could be leveraged to automate part of the incident response with tools like ansible, puppet & co
Also LimaCharlie (https://github.com/refractionPOINT/limacharlie) is doing automated response based on python

kind of related to CoA mentionned on MISP project perspective issue.

Thanks a lot for this great contribution!

[athiasjerome]

That would be a nice feature. Also I would suggest implementation compatible with OpenC2
Ref. https://github.com/OpenC2-org

[thomaspatzke]

We would keep the Sigma core format focused and therefore don't plan such an extension. But feel free to extend your Sigma rules with additional fields, the tools from this repository only care about defined fields and ignore custom ones.