jordan2175
commented
4 weeks ago I believe this has been addressed. Please verify.
Open Vasileios-Mavroeidis opened 4 years ago
jordan2175
commented
4 weeks ago I believe this has been addressed. Please verify.
The idea is to have playbooks that can contact/notify (or alert) one or more entities about a particular situation (proactive/ongoing/reactive) and share relevant information in different forms like structured threat information (STIX feeds), threat reports, information about an early-stage ongoing adversarial operation, notes, and also for disseminating actionable/executable playbooks for (example) detection and remediation.
We need a new playbook type as the proposed functionality cannot be reflected within one of the available playbook tags. Maybe call them notification playbooks.
The information is included by using the external_references property within the workflow steps. The URL of an external reference may direct the consumer (target of the workflow step) to secure infrastructure for accessing all the relevant information or the playbooks. The external_id field annotates the note, STIX bundle, CACAO playbooks to be accessed related to the notification issued.