OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cacao message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cacao] Playbook Types

I support this proposal. To several people’s point on default – I agree with the proposal that ‘is_executable’ default to false.

 

Getting into the subjective ‘which will occur more’ is both futurecasting as well as perspective. I do agree that, for the use cases I foresee, templates are the most likely playbook to be shared across org boundaries and between systems. But I think ‘false’ should be the default even if people think ‘executable’ playbooks are the more common case.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: cacao@lists.oasis-open.org <cacao@lists.oasis-open.org> on behalf of Bret Jordan <jordan.oasisopen@gmail.com>
Date: Wednesday, November 2, 2022 at 4:16 PM
To: Mateusz Zych <mateusdz@ifi.uio.no>
Cc: cacao@lists.oasis-open.org <cacao@lists.oasis-open.org>
Subject: Re: [cacao] Playbook Types

I support this proposal too. I think the majority will honestly be templates. So something like is_executable is probably correct and a default of false is probably good. 

 

Bret

 

 

On Wed, Nov 2, 2022 at 2:29 PM Mateusz Zych <mateusdz@ifi.uio.no> wrote:

Hi All, 

 

I agree and support this proposal. 

 

Best, 

Mateusz Zych



On 2 Nov 2022, at 16:52, aa tt <atcyber1000@gmail.com> wrote:

 

Rich et al - I’m supportive of this change provided the proposed text to explain the template concept vs executable is updated to describe the use of this new property.

 

I assume this property would be required (?) and therefore we should decide what the default value (false) would indicate. I suggest that the default value should be the likely majority playbook class/category. 

 

So if most playbooks will be templates then is_executable would be a good name and default to false.

 

If most playbooks would be executable then is_template might be better to name the property and that way the default value of false would work nicely.

 

Allan

 



On Nov 2, 2022, at 6:47 AM, Rich Piazza <rpiazza@mitre.org> wrote:

 

Hi All,

 

On the working call yesterday there was a discussion about section 1.3 of the CACAO working document.  Some of the important points:

 

  • The difference between an executable playbook and a playbook template is mostly subjective.  There are suggestions to the text to help clarify this.
  • There is no difference between an executable playbook and a playbook template in terms of their properties
  • The term paybook class is confusing, since it is specified using the type property of a playbook.

 

A suggested proposal is to remove the concept of playbook classes, and replace it by a new Boolean property, maybe called “is_executable”, to differentiate between executable playbooks and playbook templates.

 

                Rich

 

 

--

Rich Piazza

Lead Cyber Security Engineer

The MITRE Corporation

781-271-3760

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World™

 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]