twigs / core data model / course-of-action

Defensive actions taken in response to threats

Fields

Name Type Description
type ["course-of-action"] Hardcoded value to indicate what type of construct this is
id string Globally unique identifier for this construct.
revision integer The revision number of this construct. MUST be omitted if this is the first version, otherwise required.
created_at string Time at which this construct was created.
external_ids array <object> A list of external identifiers by which this construct may be known.
source string The source of this ID, i.e. name of an external system.
id string ID itself
link string A link to this construct in the external system
producer_ref string ID to the information source that produced this content
marking_refs array <string> The set of markings to be applied to this construct
structured_markings array <structured-marking> The set of L2 markings to be applied to this construct
controlled_structures array <string> A list of JSONPath statements, rooted at the top-level object that the structured_markings key is contained in, that the marking_refs apply to.
marking_refs array <string> The set of markings applied to the fields selected by the controlled_structures.
title string A title for this construct
description string A description for this construct
stage ["Remedy", "Response"] Whether this course of action is a preemptive remedy or a response action.
kind ["Perimeter Blocking", "Internal Blocking", "Redirection", "Redirection (Honey Pot)", "Hardening", "Patching", "Eradication", "Rebuilding", "Training", "Monitoring", "Physical Access Restrictions", "Logical Access Restrictions", "Public Disclosure", "Diplomatic Actions", "Policy Actions", "Other"] The type of course of action this describes, such as a policy change, monitoring, or redirection.
objective object
description string A textual description for this COA objective
applicability_confidence integer The likelihood that carrying out the COA will achieve this objective, using the Admirality scale
structured_coa object A structured representation for how this course of action can be achieved. For example, a Snort blocking rule.
impact object The impact that implementing this COA would have on system operations
value ["high", "medium", "low"] A value from the enumeration for this statement
extended_value object
description string A textual description of this statement
credibility integer The credibility of this statement, using the Admirality scale
cost object The cost of implementing this COA (monetary, operational, or other)
value ["high", "medium", "low"] A value from the enumeration for this statement
extended_value object
description string A textual description of this statement
credibility integer The credibility of this statement, using the Admirality scale

Relationships

Relationship Name Target Type
relatedcourse-of-action
duplicate-ofcourse-of-action

Samples

simple.json