Add PAP to case to indicate which kind of action is allowed

[To-om]

Request Type

Feature Request

Description

PAP (for Permissible Actions Protocol) aims to indicate to analyst the posture to adopt: how much we accept that the attacker detect the current analysis.

As for TLP, PAP is declined in 4 values:

• RED (3): Non-detectable actions only. Recipients may not use PAP:RED information on the network. Only passive actions on logs, that are not detectable from the outside.
• AMBER (2): Passive cross check. Recipients may use PAP:AMBER information for conducting online checks, like using services provided by third parties (e.g. VirusTotal), or set up a monitoring honeypot.
• GREEN (1): Active actions allowed. Recipients may use PAP:GREEN information to ping the target, block incoming/outgoing traffic from/to the target or specifically configure honeypots to interact with the target.
• WHITE (0): No restrictions in using this information.

Tasks

• Add pap attribute to case class
• Add pap attribute to case template class
• Add corresponding mapping migration
• Update case template UI
• Update case details page
• Update case creation dialog
• Update template of case items in search page
• Update template of case items in flow

[ghost]

Hello @To-om,

Is someone currently working on this feature? If I am not mistaken, this feature seems to already exist in TheHive when creating a new case. Please advise.

Respectfully

[saadkadhi]

@AzureFlameGod this feature does not exist yet and will be implemented in 3.1. It must not be confounded with the TLP safeguards that analyzers implement (a.k.a max TLP).

While the colors in the PAP taxonomy are similar to those of the TLP, they serve a different purpose and are actions that will be applicable to actions you could or could not do during your incident response process depending on the stance you have defined wrt the threat actor you are dealing with.