Merge pull request #272 from DCSO/courseofaction-nodiscover

Add 'course-of-action:passive=nodiscover'
MISP · Feb 7, 2024 · 6b593ea · 6b593ea
2 parents 3d61b20 + 41e8bdc
commit 6b593ea
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/course-of-action/machinetag.json b/course-of-action/machinetag.json
@@ -2,7 +2,7 @@
   "namespace": "course-of-action",
   "expanded": "Courses of Action",
   "description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.",
-  "version": 2,
+  "version": 3,
   "predicates": [
     {
       "value": "passive",
@@ -21,6 +21,10 @@
           "value": "discover",
           "expanded": "The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past."
         },
+        {
+          "value": "nodiscover",
+          "expanded": "The no-discover action is a negation of discover in case you want to explicit prohibit 'historical look at the data'. The goal is to exclude a specific indicator from searches of historical data."
+        },
         {
           "value": "detect",
           "expanded": "The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered."