OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cacao message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cacao] How best to do multiple actions


All,

Although we target for automation.
The formulation of actions should be easily readable to humans.
The have (in the end) to validate the dscripted action.
So besides a description, I would suggest that an optional explanation would help the validation proces.

Secondly actions should succeed or fail (probably returning an error code or exception)
We assume that a simple sequence of actions will succeed if all items with in the sequence succeed.
So for the happy-flow no clutter is introduced.

To capture the errors if would suggest try/exception blocks.
extended by an if exception-clause.
The construct of a block should be procedure-like (with parameters, returning results or Exceptions)
The language should support if/for/while/swicth/call mechanisms.
May be we should adapt a programming language for expression of the actions (Python3 or â)

I would see the elements as small programâs that run in the context of the target.
For example
	firewall_disableIP(firewallName, 1.2.3.4)
Could be implemented for a ASA or Juniper or other firewall (hopefully by the vendor or the user)

Anyway we should keep in kind that there should be a pretty print of the commands that
can be read by humans. Of cause we can convert a language into a JSON format. But that is secondary.

My 2cts

Frans Schippers
Cyber Security
Lecturer / Researcher

Amsterdam Universe of Applied Science
HBO-ICT
Wibautstraat 2-4
1091 GM Amsterdam

PGP: 12D1 D930 488C 22B7 6AFF  BFF7 218C 865E D6E0 6B48

> On 18 Sep 2019, at 16:15, Bret Jordan <Bret_Jordan@symantec.com> wrote:
> 
> All,
> 
> I want to kick off a discussion about how best to encapsulate multiple atomic actions in a security playbook.  From my perspective there are at least two different ways this could be doneâ.
> 
> 
> 1) The actions and the sequencing is kept together. In this model, we would define any temporal / conditional logic and any required response codes along with the action itself, or in-line with the JSON structure for that action. Something like:
> 
> Action ID: 1234
> Remove Registry Key
> Require Success
> If Failure send alert and stop
> 
> Action ID: 5678
> Delete File
> Require Success
> Require Success of Action ID 1234
> If Failure send alert and stop
> 
> 
> 
> 2) The actions and the sequencing / logic are separate from one another.  In this model you could have a small library of commands and then a processing instructions in another part of the JSON
> 
> Action ID: 1234
> Remove Registry Key
> 
> Action ID: 5678
> Delete File
> 
> Action ID: 9876
> Email Change Control
> 
> Action Logic
> 	First do 1234
> 	Second do 5678 but only if 1234 is successful
> 	Third do 9876 but only if 5678 is successful
> 	etc.
> 
> 
> This is not meant to say we are doing one of these two methods, but rather, this is meant to be a way to start the discussion.
> 
> Bret
> 




Attachment: signature.asc
Description: Message signed with OpenPGP



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]