Identification
ID: RS0002
Gather information about a threat that has triggered a security incident, its TTPs, and affected assets.
Response Actions
ID | Name | Description |
---|---|---|
RA2001 | List victims of security alert | List victims of a security alert |
RA2002 | List host vulnerabilities | Get information about a specific host existing vulnerabilities, or about vulnerabilities it had at a particular time in the past |
RA2003 | Put compromised accounts on monitoring | Put (potentially) compromised accounts on monitoring |
RA2101 | List hosts communicated with internal domain | List hosts communicated with an internal domain |
RA2102 | List hosts communicated with internal IP | List hosts communicated with an internal IP address |
RA2103 | List hosts communicated with internal URL | List hosts communicated with an internal URL |
RA2104 | Analyse domain name | Analyse a domain name |
RA2105 | Analyse IP | Analyse an IP address |
RA2106 | Analyse uri | Analyse an URI |
RA2107 | List hosts communicated by port | List hosts communicating by a specific port at the moment or at a particular time in the past |
RA2108 | List hosts connected to VPN | List hosts connected to a VPN at the moment or at a particular time in the past |
RA2109 | List hosts connected to intranet | List hosts connected to the internal network at the moment or at a particular time in the past |
RA2110 | List data transferred | List the data that is being transferred at the moment or at a particular time in the past |
RA2111 | Collect transferred data | Collect the data that is being transferred at the moment or at a particular time in the past |
RA2112 | Identify transferred data | Identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value) |
RA2113 | List hosts communicated with external domain | List hosts communicated with an external domain |
RA2114 | List hosts communicated with external IP | List hosts communicated with an external IP address |
RA2115 | List hosts communicated with external URL | List hosts communicated with an external URL |
RA2116 | Find data transferred by content pattern | Find the data that is being transferred at the moment or at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc) |
RA2117 | Analyse user-agent | Analyse an User-Agent request header for indications of suspicious activity |
RA2118 | List Firewall rules | List firewall rules |
RA2201 | List users opened email message | List users that have opened am email message |
RA2202 | Collect email message | Collect an email message |
RA2203 | List email message receivers | List receivers of a particular email message |
RA2204 | Make sure email message is phishing | Make sure that an email message is a phishing attack |
RA2205 | Extract observables from email message | Extract observables from an email message |
RA2206 | Analyse email address | Analyse an email address |
RA2301 | List files created | List files that have been created at a particular time in the past |
RA2302 | List files modified | List files that have been modified at a particular time in the past |
RA2303 | List files deleted | List files that have been deleted at a particular time in the past |
RA2304 | List files downloaded | List files that have been downloaded at a particular time in the past |
RA2305 | List files with tampered timestamps | List files with tampered timestamps |
RA2306 | Find file by path | Find a file by its path (including its name) |
RA2307 | Find file by metadata | Find a file by its metadata (i.e. signature, permissions, MAC times) |
RA2308 | Find file by hash | Find a file by its hash |
RA2309 | Find file by format | Find a file by its format |
RA2310 | Find file by content pattern | Find a file by its content pattern (i.e. specific string, keyword, binary pattern etc) |
RA2311 | Collect file | Collect a specific file from a (remote) host or a system |
RA2312 | Analyse file hash | Analise a hash of a file |
RA2313 | Analyse Windows PE | Analise MS Windows Portable Executable |
RA2314 | Analyse macos macho | Analise macOS Mach-O |
RA2315 | Analyse Unix ELF | Analise Unix ELF |
RA2316 | Analyse MS office file | Analise MS Office file |
RA2317 | Analyse PDF file | Analise PDF file |
RA2318 | Analyse script | Analyse a script file (i.e. Python, PowerShell, Bash scripts etc) |
RA2319 | Analyse jar | Analyse a JAR file |
RA2320 | Analyse filename | Analyse a filename |
RA2401 | List processes executed | List processes being executed at the moment or at a particular time in the past |
RA2402 | Find process by executable path | Find a process that is being executed at the moment or at a particular time in the past by its executable path (including its name) |
RA2403 | Find process by executable metadata | Find a process that is being executed at the moment or at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times) |
RA2404 | Find process by executable hash | Find a process that is being executed at the moment or at a particular time in the past by its executable hash |
RA2405 | Find process by executable format | Find a process that is being executed at the moment or at a particular time in the past by its executable format |
RA2406 | Find process by executable content pattern | Find a process that is being executed at the moment or at a particular time in the past by its executable content (i.e. specific string, keyword, binary pattern etc) |
RA2501 | List registry keys modified | List registry keys modified at a particular time in the past |
RA2502 | List registry keys deleted | List registry keys that have been deleted at a particular time in the past |
RA2503 | List registry keys accessed | List registry keys that have been accessed at a particular time in the past |
RA2504 | List registry keys created | List registry keys that have been created at a particular time in the past |
RA2505 | List services created | List services that have been created at a particular time in the past |
RA2506 | List services modified | List services that have been modified at a particular time in the past |
RA2507 | List services deleted | List services that have been deleted at a particular time in the past |
RA2508 | Analyse registry key | Analyse a registry key |
RA2601 | List users authenticated | List users authenticated at a particular time in the past on a particular system |
RA2602 | List user accounts | List user accounts on a particular system |