Re: [cacao] RE: [EXT] [cacao] Playbook Functionalities

[Bret Jordan <jordan.oasisopen@gmail.com>]

So Question 1: Do we like combiningÂthese two properties together at the playbook level? Dez said she likes it. What about others?Â

- To be clear, I am not sure we would do this at the command level, but I would be open to ideas there.

Question 2: what about a name for that property? The three we have are:

playbook_activities (proposed by Allan in his document)

playbook_attributes

playbook_characteristics

If we do not combine them at the command level, we would still need a property name for it there.

Bret

On Sat, Nov 19, 2022 at 4:01 PM aa tt <atcyber1000@gmail.com> wrote:

I had a proposal for a name in the metadata doc that was getting added.

Allan

On Nov 19, 2022, at 2:59 PM, Dr. Desiree A Beck <dbeck@mitre.org> wrote:

ï

Bret,

I think this looks great. I think a dictionary works well and that itâs a good idea to tie together functionalities and types.

I agree that we might want to change the property nameâ I like âplaybook_characteristicsâ or maybe âplaybook_attributes.â

Dez

Â

From: cacao@lists.oasis-open.org <cacao@lists.oasis-open.org> On Behalf Of Bret Jordan
Sent: Saturday, November 19, 2022 10:22 AM
To: cacao@lists.oasis-open.org
Subject: [EXT] [cacao] Playbook Functionalities

Â

All,

Â

Based on the proposal from Marlon, that several people have supported we have the following:

Â

playbook_types is optionalÂwith a normative SHOULD use

playbook_functionalities is optional withÂa normate SHOULD use & a normative MUST use if playbook_types is used.

Â

This gives us potential of having something like:

Â

{
 "type": "playbook",
 "spec_version": "cacao-1.1",
 "id": "playbook--91220064-3c6f-4b58-99e9-196e64f9bde7",
 "name": "Find Malware FuzzyPanda",
 "description": "This playbook will look for FuzzyPanda on the network and in a SIEM",
 "playbook_types": ["investigation", "detection"],
 "playbook_functionalities": ["analyze-collected-data", "identify-indicators", "scan-system"],

....

}

Â

I am wondering if playbook_types and playbook_functionalties should be combined to something like:

Â

{
 "type": "playbook",
 "spec_version": "cacao-1.1",
 "id": "playbook--91220064-3c6f-4b58-99e9-196e64f9bde7",
 "name": "Find Malware FuzzyPanda",
 "description": "This playbook will look for FuzzyPanda on the network and in a SIEM",
 "playbook_types": {

  "investigation": ["analyze-collected-data", "identify-indicators"],

  "detection": ["scan-system"]

 },
....

}

Â

I basically changed playbook_types from a list to a dictionary. Would something like this help?

Â

And if we do not like the playbook_types name with the combined data it could be changed to something else. Maybe characteristicsÂor something. Dez, Rich, Marlon? Do we want to try and tie the functionalities to the type being used?

Â

Bret

Â