Identification
ID: RS0002
Collectez des informations sur une menace qui a déclenché un incident de sécurité, ses TTP et les actifs concernés.
Actions de réponse
| ID | Nom | Description |
|---|---|---|
| RA2001 | Répertorier les victimes de l’alerte de sécurité | List victims of a security alert |
| RA2002 | Répertorier les vulnérabilités de l’hôte | Get information about a specific host existing vulnerabilities, or about vulnerabilities it had at a particular time in the past |
| RA2003 | Mettre des comptes compromis sous surveillance | Put (potentially) compromised accounts on monitoring |
| RA2101 | Liste des hôtes qui ont communiqués avec le domaine interne | List hosts communicated with an internal domain |
| RA2102 | Liste des hôtes qui ont communiqués avec l’ip interne | List hosts communicated with an internal IP address |
| RA2103 | Liste des hôtes qui ont communiqués avec une URL interne | List hosts communicated with an internal URL |
| RA2104 | Analyser le nom de domaine | Analyse a domain name |
| RA2105 | Analyser l’ip | Analyse an IP address |
| RA2106 | Analyser l’uri | Analyse an URI |
| RA2107 | Liste des hôtes qui ont communiqués par port | List hosts communicating by a specific port at the moment or at a particular time in the past |
| RA2108 | Liste des hôtes connectés au VPN | List hosts connected to a VPN at the moment or at a particular time in the past |
| RA2109 | Liste des hôtes connectés à l’intranet | List hosts connected to the internal network at the moment or at a particular time in the past |
| RA2110 | Liste des données transférées | List the data that is being transferred at the moment or at a particular time in the past |
| RA2111 | Collecter les données transférées | Collect the data that is being transferred at the moment or at a particular time in the past |
| RA2112 | Identifier les données transférées | Identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value) |
| RA2113 | Lister les hôtes qui ont communiqués avec un domaine externe | List hosts communicated with an external domain |
| RA2114 | Lister les hôtes qui ont communiqués avec une IP externe | List hosts communicated with an external IP address |
| RA2115 | Lister les hôtes qui ont communiqués avec une URL externe | List hosts communicated with an external URL |
| RA2116 | Rechercher des données transférées par contenu | Find the data that is being transferred at the moment or at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA2117 | Analyser un user-agent | Analyse an User-Agent request header |
| RA2201 | Lister les utilisateurs qui ont ouverts un e-mail | List users that have opened am email message |
| RA2202 | Collecter l’e-mail | Collect an email message |
| RA2203 | Lister les destinataires d’un e-mails | List receivers of a particular email message |
| RA2204 | Assurez-vous que le message électronique est du phishing | Make sure that an email message is a phishing attack |
| RA2205 | Extraire les observables du message électronique | Extract observables from an email message |
| RA2206 | Analyser l’adresse e-mail | Analyse an email address |
| RA2301 | Lister les fichiers créés | List files that have been created at a particular time in the past |
| RA2302 | Lister les fichiers modifiés | List files that have been modified at a particular time in the past |
| RA2303 | Lister les fichiers supprimés | List files that have been deleted at a particular time in the past |
| RA2304 | Lister les fichiers téléchargés | List files that have been downloaded at a particular time in the past |
| RA2305 | Lister les fichiers avec des horodatages falsifiés | List files with tampered timestamps |
| RA2306 | Rechercher un fichier par son chemin | Find a file by its path (including its name) |
| RA2307 | Rechercher un fichier par métadonnées | Find a file by its metadata (i.e. signature, permissions, MAC times) |
| RA2308 | Rechercher un fichier par son hash | Find a file by its hash |
| RA2309 | Rechercher un fichier par son format | Find a file by its format |
| RA2310 | Rechercher un fichier par contenu | Find a file by its content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA2311 | Collecter le fichier | Collect a specific file from a (remote) host or a system |
| RA2312 | Analyser un fchier via son hash | Analise a hash of a file |
| RA2313 | Analyser un PE Windows | Analise MS Windows Portable Executable |
| RA2314 | Analyser un fichier Mach-o de macos | Analise macOS Mach-O |
| RA2315 | Analyser un fichier ELF Unix | Analise Unix ELF |
| RA2316 | Analyser le fichier MS office | Analise MS Office file |
| RA2317 | Analyser un fichier PDF | Analise PDF file |
| RA2318 | Analyser un script | Analyse a script file (i.e. Python, PowerShell, Bash scripts etc) |
| RA2319 | Analyser un fichier jar | Analyse a JAR file |
| RA2320 | Analyser le nom de fichier | Analyse a filename |
| RA2401 | Lister les processus exécutés | List processes being executed at the moment or at a particular time in the past |
| RA2402 | Rechercher un processus exécutable via son chemin | Find a process that is being executed at the moment or at a particular time in the past by its executable path (including its name) |
| RA2403 | Rechercher un processus exécutables par métadonnées | Find a process that is being executed at the moment or at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times) |
| RA2404 | Rechercher un processus par le hash de l’exécutable | Find a process that is being executed at the moment or at a particular time in the past by its executable hash |
| RA2405 | Rechercher un processus par le format de l’exécutable | Find a process that is being executed at the moment or at a particular time in the past by its executable format |
| RA2406 | Rechercher un processus par contenu de l’exécutable | Find a process that is being executed at the moment or at a particular time in the past by its executable content (i.e. specific string, keyword, binary pattern etc) |
| RA2501 | Lister les clés de registre modifiées | List registry keys modified at a particular time in the past |
| RA2502 | Lister les clés de registre supprimées | List registry keys that have been deleted at a particular time in the past |
| RA2503 | Lister les clés de registre accédées | List registry keys that have been accessed at a particular time in the past |
| RA2504 | Lister les clés de registre créées | List registry keys that have been created at a particular time in the past |
| RA2505 | Lister les services créés | List services that have been created at a particular time in the past |
| RA2506 | Lister les services modifiés | List services that have been modified at a particular time in the past |
| RA2507 | Lister les services supprimés | List services that have been deleted at a particular time in the past |
| RA2508 | Analyser la clé de registre | Analyse a registry key |
| RA2601 | Répertorier les utilisateurs authentifiés | List users authenticated at a particular time in the past on a particular system |