forked from atc-project/atomic-threat-coverage
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrespose_action.yml.template
25 lines (25 loc) · 1.07 KB
/
respose_action.yml.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
title: RA_0000_some_name_here
stage: identification # containment / eradication / recovery / lessons_learned
automation:
- thehive
- demisto
- phantom
- etc
author: Name Surname
creation_date: DD.MM.YYYY
references:
- https://example.com
description: >
(Aggregated) Response Action for blocking threats on Network Level.
linked_ra: # could be empty in case of single Response Action
- RA_0006_containment_block_domain_on_email # Response Actions could be aggregated
- RA_0009_containment_block_url_on_proxy # and contain links to multiple Response Actions
- RA_0007_containment_block_ip_on_border_firewall
- RA_0008_containment_block_domain_on_dns
- RA_0009_containment_block_url_on_proxy
linked_analytics:
- MS_something # link to mitigation systems needed for Response Action
- DN_something # link to Data Needed needed for Response Action
workflow: |
Description of how to handle multiple Response Actions (if it is an aggregated Response Action) or workflow for single Response Action in markdown format.
Here newlines will be saved.