-
-
Notifications
You must be signed in to change notification settings - Fork 117
/
respose_playbook.yml.template
35 lines (35 loc) · 1.68 KB
/
respose_playbook.yml.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
title: RP_0000_some_name_here
id: RP0000
description: >
Some text description here. It will be merged into one line
author: your name/nickname/twitter
creation_date: YYYY/MM/DD
severity: M # L M H
tlp: AMBER # WHITE GREEN AMBER RED
pap: WHITE # WHITE GREEN AMBER RED
tags:
- attack.initial_access # use the next tag scheeme for ATT&CK tags: https://github.com/Neo23x0/sigma/wiki/Tags
- amitt.strategic_planning # use the next tag scheeme for AMITT tags: https://github.com/atc-project/atc-react/blob/master/scripts/amitt_mapping.py
- attack.t1193 # use the next tag scheeme for ATT&CK tags: https://github.com/Neo23x0/sigma/wiki/Tags
- phishinng # could be custom tags as well
linked_rp:
- RA_0000_something # related RP that you would like to keep as linked and mention in the workflow
references:
- https://example.com
preparation:
- RA_0000_something
identification:
- RA_0001_get_original_email # links to atomic Response Actions
containment:
- RA_0006_block_domain_on_email # Response Actions could be aggregated
- RA_0009_block_url_on_proxy # and contain links to multiple Response Actions
eradication:
- RA_0010_delete_malicious_emails
recovery:
- RA_0029_reinstall_host_from_golden_image
lessons_learned:
- RA_0013_develop_incident_report
workflow: |
Description of the workflow in the [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) format.
You can put here anything you want, i.e. specific conditions/requirements or details on the order of Response Actions execution.
Here newlines will be saved.