Identification

ID: RS0002

Gather information about a threat that has triggered a security incident, its TTPs, and affected assets.

Response Actions

ID Name Description
RA2001 List victims of security alert List victims of a security alert
RA2002 List host vulnerabilities Get information about a specific host existing vulnerabilities, or about vulnerabilities it had at a particular time in the past
RA2003 Put compromised accounts on monitoring Put (potentially) compromised accounts on monitoring
RA2101 List hosts communicated with internal domain List hosts communicated with an internal domain
RA2102 List hosts communicated with internal IP List hosts communicated with an internal IP address
RA2103 List hosts communicated with internal URL List hosts communicated with an internal URL
RA2104 Analyse domain name Analyse a domain name
RA2105 Analyse IP Analyse an IP address
RA2106 Analyse uri Analyse an URI
RA2107 List hosts communicated by port List hosts communicating by a specific port at the moment or at a particular time in the past
RA2108 List hosts connected to VPN List hosts connected to a VPN at the moment or at a particular time in the past
RA2109 List hosts connected to intranet List hosts connected to the internal network at the moment or at a particular time in the past
RA2110 List data transferred List the data that is being transferred at the moment or at a particular time in the past
RA2111 Collect transferred data Collect the data that is being transferred at the moment or at a particular time in the past
RA2112 Identify transferred data Identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value)
RA2113 List hosts communicated with external domain List hosts communicated with an external domain
RA2114 List hosts communicated with external IP List hosts communicated with an external IP address
RA2115 List hosts communicated with external URL List hosts communicated with an external URL
RA2116 Find data transferred by content pattern Find the data that is being transferred at the moment or at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc)
RA2117 Analyse user-agent Analyse an User-Agent request header for indications of suspicious activity
RA2118 List Firewall rules List firewall rules
RA2201 List users opened email message List users that have opened am email message
RA2202 Collect email message Collect an email message
RA2203 List email message receivers List receivers of a particular email message
RA2204 Make sure email message is phishing Make sure that an email message is a phishing attack
RA2205 Extract observables from email message Extract observables from an email message
RA2206 Analyse email address Analyse an email address
RA2301 List files created List files that have been created at a particular time in the past
RA2302 List files modified List files that have been modified at a particular time in the past
RA2303 List files deleted List files that have been deleted at a particular time in the past
RA2304 List files downloaded List files that have been downloaded at a particular time in the past
RA2305 List files with tampered timestamps List files with tampered timestamps
RA2306 Find file by path Find a file by its path (including its name)
RA2307 Find file by metadata Find a file by its metadata (i.e. signature, permissions, MAC times)
RA2308 Find file by hash Find a file by its hash
RA2309 Find file by format Find a file by its format
RA2310 Find file by content pattern Find a file by its content pattern (i.e. specific string, keyword, binary pattern etc)
RA2311 Collect file Collect a specific file from a (remote) host or a system
RA2312 Analyse file hash Analise a hash of a file
RA2313 Analyse Windows PE Analise MS Windows Portable Executable
RA2314 Analyse macos macho Analise macOS Mach-O
RA2315 Analyse Unix ELF Analise Unix ELF
RA2316 Analyse MS office file Analise MS Office file
RA2317 Analyse PDF file Analise PDF file
RA2318 Analyse script Analyse a script file (i.e. Python, PowerShell, Bash scripts etc)
RA2319 Analyse jar Analyse a JAR file
RA2320 Analyse filename Analyse a filename
RA2401 List processes executed List processes being executed at the moment or at a particular time in the past
RA2402 Find process by executable path Find a process that is being executed at the moment or at a particular time in the past by its executable path (including its name)
RA2403 Find process by executable metadata Find a process that is being executed at the moment or at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times)
RA2404 Find process by executable hash Find a process that is being executed at the moment or at a particular time in the past by its executable hash
RA2405 Find process by executable format Find a process that is being executed at the moment or at a particular time in the past by its executable format
RA2406 Find process by executable content pattern Find a process that is being executed at the moment or at a particular time in the past by its executable content (i.e. specific string, keyword, binary pattern etc)
RA2501 List registry keys modified List registry keys modified at a particular time in the past
RA2502 List registry keys deleted List registry keys that have been deleted at a particular time in the past
RA2503 List registry keys accessed List registry keys that have been accessed at a particular time in the past
RA2504 List registry keys created List registry keys that have been created at a particular time in the past
RA2505 List services created List services that have been created at a particular time in the past
RA2506 List services modified List services that have been modified at a particular time in the past
RA2507 List services deleted List services that have been deleted at a particular time in the past
RA2508 Analyse registry key Analyse a registry key
RA2601 List users authenticated List users authenticated at a particular time in the past on a particular system
RA2602 List user accounts List user accounts on a particular system