Home

Awesome

COPS - Collaborative Open Playbook Standard

COPS logo

This repository contains schema definitions for a DFIR (Digital Forensics Incident Response) Playbook. The scheme is based on YAML (http://yaml.org/), and describes an incident response runbook (aka. playbook, “use case”) that is a written guidance for identifying, containing, eradicating and recovering from cyber security incidents.

Yaml was chosen since it's both human readable and can describe complex nested data structure, we use YAML version 1.2.

What is the promise of the DFIR Playbook Spec?

Version

This is version 0.2 of the spec

Playbook Hierarchy structure:

  1. Playbook - the high level process.
  2. Task - this is a single step in the process, which can represent a script execution or manual step.

Playbook fields

Task fields

Example playbook Yaml:

id: 40202fbb-9ed4-4b8f-86e1-68722d808e3d
version: 0
name: Hello-world-COPS
description: This playbook is an example hello world of COPS format
starttaskid: "0"
tasks:
  "0":
    id: "0"
    taskid: c44160b9-16d8-4a1e-8765-1c034006a183
    type: start
    task:
      id: c44160b9-16d8-4a1e-8765-1c034006a183
      version: -1
      name: ""
      iscommand: false
      brand: ""
    nexttasks:
      '#none#':
      - "1"
    separatecontext: false
  "1":
    id: "1"
    taskid: 015bd0d8-5d01-4c2d-8d38-fed3e5c77938
    type: regular
    task:
      id: 015bd0d8-5d01-4c2d-8d38-fed3e5c77938
      version: -1
      name: Hello world COPS
      scriptName: Print
      type: regular
      iscommand: false
      brand: ""
    nexttasks:
      '#none#':
      - "2"
    scriptarguments:
      value:
        simple: Hello DFIR community, this is COPS!
    separatecontext: false
  "2":
    id: "2"
    taskid: b8193b45-293e-4035-858a-36d84050395a
    type: condition
    task:
      id: b8193b45-293e-4035-858a-36d84050395a
      version: -1
      name: Is this incident high severity
      type: condition
      iscommand: false
      brand: ""
    nexttasks:
      '#default#':
      - "4"
      "yes":
      - "3"
    separatecontext: false
    conditions:
    - label: "yes"
      condition:
      - - operator: string.isEqual
          left:
            value:
              simple: incident.severity
            iscontext: true
          right:
            value:
              simple: "3"
  "3":
    id: "3"
    taskid: 11e43d6c-a9bb-4fea-8641-6f256a5d11f7
    type: regular
    task:
      id: 11e43d6c-a9bb-4fea-8641-6f256a5d11f7
      version: -1
      name: Investigate it!
      type: regular
      iscommand: false
      brand: ""
    separatecontext: false
    sla:
      hours: 0
      days: 0
      weeks: 1
  "4":
    id: "4"
    taskid: eb04267c-b749-40f7-888b-b00c720112ea
    type: regular
    task:
      id: eb04267c-b749-40f7-888b-b00c720112ea
      version: -1
      name: Go Sleep
      type: regular
      iscommand: false
      brand: ""
    separatecontext: false
inputs: []
outputs: []

Example playbook illustration:

COPS logo

Example playbook task by task explanation

  1. This is the playbook first task, just dummy task to hold start point of playbook
  2. Hello world COPS - print/echo "Hello DFIR community, this is COPS!"
  3. Is this incident high severity - condition task to check if incident severity high, if so go to task #3, otherwise go to task #4
  4. Investigate it! - manual task the analyst needs to perform
  5. Go Sleep - manual task the analyst needs to perform

This is of course a sample (and simple example) just to show an overview of the scheme. For real DFIR playbooks look at the Demisto content repo.

Feel free to contribute by providing feedback, creating new DFIR playbooks, or using the spec in your security product, contact using issues of this GitHub repo.