RS0002: Identification
Gather information about a threat that has triggered a security incident, its TTPs, and affected assets.
Stage Actions
| ID | Title | Brief Description |
|---|---|---|
| RA2001 | List Victims Of Security Alert | List victims of a security alert |
| RA2002 | List Host Vulnerabilities | Get information about a specific host existing vulnerabilities, or about vulnerabilities it had at a particular time in the past |
| RA2003 | Put Compromised Accounts On Monitoring | Put (potentially) compromised accounts on monitoring |
| RA2005 | Make A Volatile Memory Capture | Make a volatile memory capture |
| RA2006 | Conduct Memory Analysis | Conduct memory analysis |
| RA2007 | Build Super Timeline | Build super timeline |
| RA2008 | Prepare Iocs List | Prepare IOCs list |
| RA2009 | Scan With Iocs And Rules | Scan with IOCs, rules and signatures |
| RA2101 | List Hosts Communicated With Internal Domain | List hosts communicated with an internal domain |
| RA2102 | List Hosts Communicated With Internal Ip | List hosts communicated with an internal IP address |
| RA2103 | List Hosts Communicated With Internal Url | List hosts communicated with an internal URL |
| RA2104 | Analyse Domain Name | Analyse a domain name |
| RA2105 | Analyse Ip | Analyse an IP address |
| RA2106 | Analyse Uri | Analyse an URI |
| RA2107 | List Hosts Communicated By Port | List hosts communicating by a specific port at the moment or at a particular time in the past |
| RA2108 | List Hosts Connected To Vpn | List hosts connected to a VPN at the moment or at a particular time in the past |
| RA2109 | List Hosts Connected To Intranet | List hosts connected to the internal network at the moment or at a particular time in the past |
| RA2110 | List Data Transferred | List the data that is being transferred at the moment or at a particular time in the past |
| RA2111 | Collect Transferred Data | Collect the data that is being transferred at the moment or at a particular time in the past |
| RA2112 | Identify Transferred Data | Identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value) |
| RA2113 | List Hosts Communicated With External Domain | List hosts communicated with an external domain |
| RA2114 | List Hosts Communicated With External Ip | List hosts communicated with an external IP address |
| RA2115 | List Hosts Communicated With External Url | List hosts communicated with an external URL |
| RA2116 | Find Data Transferred By Content Pattern | Find the data that is being transferred at the moment or at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA2117 | Analyse User | Analyse an User-Agent request header for indications of suspicious activity |
| RA2118 | List Firewall Rules | List firewall rules |
| RA2120 | Identify impacted services | Identify the IT services being impacted |
| RA2121 | Identify userful security systems | Identify the tools used to detect the incident and useful for investigation |
| RA2201 | List Users Opened Email Message | List users that have opened am email message |
| RA2202 | Collect Email Message | Collect an email message |
| RA2203 | List Email Message Receivers | List receivers of a particular email message |
| RA2204 | Make Sure Email Message Is Phishing | Make sure that an email message is a phishing attack |
| RA2205 | Extract Observables From Email Message | Extract observables from an email message |
| RA2206 | Analyse Email Address | Analyse an email address |
| RA2301 | List Files Created | List files that have been created at a particular time in the past |
| RA2302 | List Files Modified | List files that have been modified at a particular time in the past |
| RA2303 | List Files Deleted | List files that have been deleted at a particular time in the past |
| RA2304 | List Files Downloaded | List files that have been downloaded at a particular time in the past |
| RA2305 | List Files With Tampered Timestamps | List files with tampered timestamps |
| RA2306 | Find File By Path | Find a file by its path (including its name) |
| RA2307 | Find File By Metadata | Find a file by its metadata (i.e. signature, permissions, MAC times) |
| RA2308 | Find File By Hash | Find a file by its hash |
| RA2309 | Find File By Format | Find a file by its format |
| RA2310 | Find File By Content Pattern | Find a file by its content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA2311 | Collect File | Collect a specific file from a (remote) host or a system |
| RAI2311_0001 | Collect file via SOLDR | This response action is intended to obtain file from remote host |
| RA2312 | Analyse File Hash | Analise a hash of a file |
| RA2313 | Analyse Windows Pe | Analyse MS Windows Portable Executable |
| RAI2313_0001 | Perform malware analysis via SOLDR | This response action is intended to perform malware analysis of choosen file |
| RA2314 | Analyse Macos Macho | Analise macOS Mach-O |
| RA2315 | Analyse Unix Elf | Analise Unix ELF |
| RA2316 | Analyse Ms Office File | Analise MS Office file |
| RA2317 | Analyse Pdf File | Analise PDF file |
| RA2318 | Analyse Script | Analyse a script file (i.e. Python, PowerShell, Bash src etc) |
| RA2319 | Analyse Jar | Analyse a JAR file |
| RA2320 | Analyse Filename | Analyse a filename |
| RA2401 | List Processes Executed | List processes being executed at the moment or at a particular time in the past |
| RA2402 | Find Process By Executable Path | Find a process that is being executed at the moment or at a particular time in the past by its executable path (including its name) |
| RA2403 | Find Process By Executable Metadata | Find a process that is being executed at the moment or at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times) |
| RA2404 | Find Process By Executable Hash | Find a process that is being executed at the moment or at a particular time in the past by its executable hash |
| RA2405 | Find Process By Executable Format | Find a process that is being executed at the moment or at a particular time in the past by its executable format |
| RA2406 | Find Process By Executable Content Pattern | Find a process that is being executed at the moment or at a particular time in the past by its executable content (i.e. specific string, keyword, binary pattern etc) |
| RA2501 | List Registry Keys Modified | List registry keys modified at a particular time in the past |
| RA2502 | List Registry Keys Deleted | List registry keys that have been deleted at a particular time in the past |
| RA2503 | List Registry Keys Accessed | List registry keys that have been accessed at a particular time in the past |
| RA2504 | List Registry Keys Created | List registry keys that have been created at a particular time in the past |
| RAI2504_0001 | Listing registry keys with Powershell | This response action about working with registry keys |
| RA2505 | List Services Created | List services that have been created at a particular time in the past |
| RA2506 | List Services Modified | List services that have been modified at a particular time in the past |
| RA2507 | List Services Deleted | List services that have been deleted at a particular time in the past |
| RA2508 | Analyse Registry Key | Analyse a registry key |
| RA2601 | List Users Authenticated | List users authenticated at a particular time in the past on a particular system |
| RA2602 | List User Accounts | List user accounts on a particular system |
| RA2603 | Find successfully enumerated users | Find successfully enumerated users |
| RA2604 | Find Compromised User | Find compromised user |
| RAI2604_0001 | Find account with shadow credential via Powershell | Search via LDAP for an account with the msDS-KeyCredentialLink attribute |
| RA2999 | Examine Content | Abstract action for getting any useful information from different entities |