Add new response action for trusted communities

[Karneades]

Add new RA for connecting with trusted communities, like MISP. Hope the format and everything's ok and I included all relevant information for a new RA.

After adding my first RA action to see how that works, the following things came up:

• why do we have the category only inside the ID but the stage also in the RA itself? Or completely come away from the ID and only use the words inside the RA for both stage and category?
• we have the ID on three places (filename, id, title) - could we reduce that to one place?
• we have the filename the same like in the title inside the RA itself - could we reduce that information to one place? filename only an ID or skip the title if it's the same, ...? (maybe that's only because the rules are in dev...?)
• date format, I used the international notion (used too in Sigma rules) with YYYY-MM-DD, in the template was another format used (minor issue)
• using an additional number besides stage and category for RA's seams a bit of a hassle, if we also have unique file names, adding a new RA would also force one to lookup up the next number...I think it would be too much for the limited amount of RA's to add an UUID like it was introduced with the evolution of Sigma rules. Also using sequential numbers if a RA would be deleted then gaps would come up (minor issue).

[yugoslavskiy]

wow, that's was quick! thank you for the first RA contributed (:

OK, let me answer this step by step:

why do we have the category only inside the ID but the stage also in the RA itself? Or completely come away from the ID and only use the words inside the RA for both stage and category?

Most probably, we will remove the stage definition from the RA yaml file, since it's kinda redundant, but still in use by some scripts. A category is calculated on the fly and automatically added to all exported entities (i.e. markdown/confluence/etc). We will follow the same approach for stages.

we have the ID on three places (filename, id, title) - could we reduce that to one place?

This is a legacy from the main ATC project. Actually, RA/RP stuff was developed more than a year ago. The atc-react is just a way to make it more clear for IR people, and provide a better way to visualize/represent the data. So, this is something we will work out on the next development stages. We will have a title fully separated from the filename. (well, make sense to create an issue).

we have the filename the same like in the title inside the RA itself - could we reduce that information to one place? filename only an ID or skip the title if it's the same, ...? (maybe that's only because the rules are in dev...?)

We were thinking about the "filename only an ID"-kind of way, so we will have everything simplified.

date format, I used the international notion (used too in Sigma rules) with YYYY-MM-DD, in the template was another format used (minor issue)

Also a legacy. Most probably (I don't see why not) we will switch to Sigma format for the date. But for now, let's keep it consistent, so in the future, we would be able to change it all at once, by one bash oneliner.

using an additional number besides stage and category for RA's seams a bit of a hassle, if we also have unique file names, adding a new RA would also force one to lookup up the next number...I think it would be too much for the limited amount of RA's to add an UUID like it was introduced with the evolution of Sigma rules. Also using sequential numbers if a RA would be deleted then gaps would come up (minor issue).

Well, we can do the lookup for the next number ourselves (:
And even tho it looks kinda limiting, here is a short summary of options:

1. We have 99 RA's per Stage per Category. If we will go further, most probably, we are on a wrong way. We are thinking to keep RA's on a high level, and then pivot into sub-RA's, just as ATT&CK did with sub-techniques. But this is only a theory.
2. Even if for some reason we will have more than 99 RA's per Stage per Category, we can always add one digit and get the ability to create 999 RA's per Stage per Category.

Regarding the possible gaps — yes, this is something we need to be careful about, but still, it's wouldn't be a big problem anyway.

Yep, I don't think that we will switch to UUID for RA's.

Anyway, I will change the date format and you will see your RA published everywhere in a few minutes.

Thank you again!

[yugoslavskiy]

Done it. Welcome to project contributors!

[Karneades]

Thanks for your explanations above. Looking forward how the project evolves. Thanks for your work!

[yugoslavskiy]

created an issue #294 for naming scheme normalisation

[yugoslavskiy]

created an issue #296 for date format change