[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: How best to do multiple actions
All, I want to kick off a discussion about how best to encapsulate multiple atomic actions in a security playbook. From my perspective there are at least two different ways this could be doneâ. 1) The actions and the sequencing is kept together. In this model, we would define any temporal / conditional logic and any required response codes along with the action itself, or in-line with the JSON structure for that action. Something like: Action ID: 1234 Remove Registry Key Require Success If Failure send alert and stop Action ID: 5678 Delete File Require Success Require Success of Action ID 1234 If Failure send alert and stop 2) The actions and the sequencing / logic are separate from one another. In this model you could have a small library of commands and then a processing instructions in another part of the JSON Action ID: 1234 Remove Registry Key Action ID: 5678 Delete File Action ID: 9876 Email Change Control Action Logic First do 1234 Second do 5678 but only if 1234 is successful Third do 9876 but only if 5678 is successful etc. This is not meant to say we are doing one of these two methods, but rather, this is meant to be a way to start the discussion. Bret
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]