{ "blocked_actions": [ "call_wazuh_api_live", "enable_wazuh_active_response", "install_wazuh_agent", "restart_wazuh_agent", "change_wazuh_rule", "change_wazuh_decoder", "store_raw_wazuh_payload", "read_wazuh_password", "disable_wazuh_tls_verification", "call_kali_scan", "call_kali_execute", "run_kali_active_scan", "run_kali_credentialed_scan", "run_nmap_scan", "run_nuclei_scan", "run_nikto_scan", "run_trivy_scan_live", "run_lynis_scan_live", "update_kali_packages", "reboot_kali_host", "change_kali_service", "ssh_to_host", "sudo_action", "read_host_live_log", "read_host_env", "write_host_file", "kill_process", "isolate_host", "docker_restart", "docker_compose_up", "docker_compose_down", "systemctl_restart", "systemctl_stop", "systemctl_start", "nginx_test", "nginx_reload", "nginx_conf_write", "certbot_renew", "dns_change", "route_change", "upstream_change", "firewall_drop", "firewall_allow", "port_close", "port_open", "wireguard_change", "nodeport_change", "network_policy_apply", "argocd_sync", "kubectl_apply", "kubectl_delete", "helm_upgrade", "rbac_change", "k8s_secret_change", "prometheus_reload", "alertmanager_reload", "grafana_dashboard_apply", "signoz_rule_apply", "sentry_config_change", "langfuse_config_change", "otel_collector_reload", "receiver_route_change", "silence_policy_change", "telegram_send", "notification_route_change", "webhook_receiver_change", "remote_write_change", "exporter_deploy", "live_alert_fire", "alert_chain_smoke_live", "create_soar_case_live", "run_soar_playbook", "auto_block_ip", "auto_quarantine_endpoint", "auto_rotate_secret", "workflow_modification", "gitea_action_dispatch", "runner_config_change", "deploy_key_change", "webhook_change", "repo_secret_change", "secret_store_read", "collect_password", "collect_private_key", "collect_runner_token", "collect_webhook_secret", "collect_cookie_or_session", "collect_secret_hash", "collect_partial_token", "store_raw_packet", "store_raw_log", "store_unredacted_screenshot", "database_migration", "production_write", "open_runtime_gate", "add_action_button", "force_push", "sync_git_refs", "switch_github_primary", "change_codeowners", "change_branch_protection", "change_cors", "disable_rate_limit" ], "control_candidates": [ { "control_id": "SOC-P0-01", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "資產與 owner 對應表先完整" }, { "control_id": "SOC-P0-02", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "Wazuh agent / manager / indexer / dashboard health ref 收件" }, { "control_id": "SOC-P0-03", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "Host auth / process / network / FIM 訊號正規化" }, { "control_id": "SOC-P0-04", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "Kali 112 health / tool version / scope approval 串接" }, { "control_id": "SOC-P0-05", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "Kali finding 只接脫敏 envelope,不接 raw output" }, { "control_id": "SOC-P0-06", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "Prometheus / Alertmanager / Telegram 告警鏈 no-false-green" }, { "control_id": "SOC-P0-07", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "Sentry / SigNoz 與主機入侵線索關聯" }, { "control_id": "SOC-P0-08", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "Nginx / firewall / route / TLS / gateway drift 關聯到 SIEM" }, { "control_id": "SOC-P0-09", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "Gitea / runner / workflow / secret metadata 供應鏈關聯" }, { "control_id": "SOC-P0-10", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "CISA KEV / CVE / package / image 風險排序" }, { "control_id": "SOC-P0-11", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "Incident case / owner response / escalation queue" }, { "control_id": "SOC-P0-12", "control_tier": "C0", "owner_response_required": true, "priority": "P0", "runtime_gate_open": false, "title": "鑑識證據、chain of custody、redaction 與保存期" }, { "control_id": "SOC-P1-13", "control_tier": "C1", "owner_response_required": true, "priority": "P1", "runtime_gate_open": false, "title": "Suricata / NDR passive telemetry lane" }, { "control_id": "SOC-P1-14", "control_tier": "C1", "owner_response_required": true, "priority": "P1", "runtime_gate_open": false, "title": "Web / API appsec logging 與 OWASP ASVS 驗證" }, { "control_id": "SOC-P1-15", "control_tier": "C1", "owner_response_required": true, "priority": "P1", "runtime_gate_open": false, "title": "Backup / restore / DR recovery proof 串回 incident" }, { "control_id": "SOC-P1-16", "control_tier": "C1", "owner_response_required": true, "priority": "P1", "runtime_gate_open": false, "title": "SOC KPI / dashboard / LOGBOOK / executive reporting" }, { "control_id": "SOC-P1-17", "control_tier": "C1", "owner_response_required": true, "priority": "P1", "runtime_gate_open": false, "title": "SOAR draft / case automation 只建立候選,不自動封鎖" }, { "control_id": "SOC-P1-18", "control_tier": "C1", "owner_response_required": true, "priority": "P1", "runtime_gate_open": false, "title": "Wazuh active response dry-run 與 rollback gate" }, { "control_id": "SOC-P1-19", "control_tier": "C1", "owner_response_required": true, "priority": "P1", "runtime_gate_open": false, "title": "Kali active / credentialed scan approval package" }, { "control_id": "SOC-P1-20", "control_tier": "C1", "owner_response_required": true, "priority": "P1", "runtime_gate_open": false, "title": "NDR / IPS / firewall containment promotion criteria" } ], "control_domains": [ { "control_tier": "C0", "domain_id": "asset_inventory_owner", "label": "資產 / owner / attack surface inventory", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C0", "domain_id": "endpoint_log_collection", "label": "Endpoint / host / auth / process log collection", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C0", "domain_id": "fim_persistence_detection", "label": "FIM / persistence / malware signal", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C0", "domain_id": "vulnerability_kev_prioritization", "label": "CVE / KEV / package / image prioritization", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C0", "domain_id": "network_detection_response", "label": "NDR / IDS / firewall / WireGuard / NodePort evidence", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C0", "domain_id": "wazuh_siem_correlation", "label": "Wazuh SIEM correlation / rule / decoder readback", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C0", "domain_id": "kali_assessment_orchestration", "label": "Kali 112 scanner health / scope / finding normalization", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C0", "domain_id": "alert_routing_noise_budget", "label": "Alert routing / dedup / inhibit / noise budget", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C0", "domain_id": "incident_case_management", "label": "Incident / case / owner response / escalation", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C0", "domain_id": "forensic_evidence_retention", "label": "Forensic evidence retention / redaction / chain of custody", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C0", "domain_id": "config_drift_control", "label": "Nginx / host / K8s / runner / workflow config drift", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C0", "domain_id": "supply_chain_ci_cd", "label": "Gitea / runner / workflow / Harbor / SBOM / image evidence", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C1", "domain_id": "identity_secret_access", "label": "IAM / SSH / sudo / secret / token exposure control", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C1", "domain_id": "web_api_appsec_logging", "label": "Web / API appsec logging / auth / rate-limit / headers", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C1", "domain_id": "backup_recovery_dr", "label": "Backup / restore / escrow / DR recovery proof", "owner_response_required": true, "runtime_gate_open": false }, { "control_tier": "C1", "domain_id": "executive_reporting_metrics", "label": "Dashboard / KPI / LOGBOOK / no-false-green reporting", "owner_response_required": true, "runtime_gate_open": false } ], "execution_boundaries": { "action_buttons_allowed": false, "active_scan_authorized": false, "alertmanager_reload_authorized": false, "auto_block_authorized": false, "credentialed_scan_authorized": false, "firewall_change_authorized": false, "host_write_authorized": false, "kali_execute_authorized": false, "kali_scan_authorized": false, "nginx_reload_authorized": false, "not_authorization": true, "production_write_authorized": false, "prometheus_reload_authorized": false, "raw_payload_storage_allowed": false, "runtime_execution_authorized": false, "runtime_gate_open": false, "secret_value_collection_allowed": false, "soar_case_create_authorized": false, "ssh_write_authorized": false, "telegram_send_authorized": false, "wazuh_active_response_authorized": false, "wazuh_api_live_query_authorized": false }, "generated_at": "2026-06-25T16:20:00+08:00", "git_commit": "c07fefbe", "incident_lifecycle_stages": [ { "control_intent": "資產、owner、控制域、例外、權限與證據模板先就緒。", "label": "準備與治理", "runtime_gate_open": false, "stage_id": "prepare_govern" }, { "control_intent": "Wazuh、Alertmanager、SigNoz、Sentry、Nginx、K8s、Gitea 訊號統一成脫敏事件。", "label": "偵測與正規化", "runtime_gate_open": false, "stage_id": "detect_normalize" }, { "control_intent": "用 severity、confidence、KEV、ATT&CK、asset criticality 與 noise budget 排序。", "label": "分流與排序", "runtime_gate_open": false, "stage_id": "triage_prioritize" }, { "control_intent": "串 Wazuh event、Kali scope、host forensic、gateway diff、supply-chain 與 timeline refs。", "label": "調查與關聯", "runtime_gate_open": false, "stage_id": "investigate_correlate" }, { "control_intent": "只產生 containment 候選;無 owner、rollback、maintenance window 不得執行。", "label": "圍堵決策", "runtime_gate_open": false, "stage_id": "containment_decision" }, { "control_intent": "清除、修補、還原與服務恢復都必須有 postcheck 與 no-false-green 證據。", "label": "清除與復原", "runtime_gate_open": false, "stage_id": "eradicate_recover" }, { "control_intent": "回寫 detection gap、false positive、playbook、owner SLA、LOGBOOK 與風險例外。", "label": "事後學習", "runtime_gate_open": false, "stage_id": "post_incident_learning" }, { "control_intent": "用 KPI、演練、tabletop、purple-team 與 evidence aging 收斂下一輪優先序。", "label": "持續改善", "runtime_gate_open": false, "stage_id": "continuous_improvement" } ], "maturity_stages": [ { "entry_criteria": "工具與文件分散,不能宣稱 SOC 形成。", "label": "分散觀測", "runtime_gate_open": false, "stage_id": "L0" }, { "entry_criteria": "repo / snapshot / guard / frontstage marker 可重跑,runtime 維持 0。", "label": "只讀證據", "runtime_gate_open": false, "stage_id": "L1" }, { "entry_criteria": "owner、scope、evidence refs、rollback、postcheck 與 redaction 證明可驗收。", "label": "Owner Packet", "runtime_gate_open": false, "stage_id": "L2" }, { "entry_criteria": "在獨立批准後接只讀 live metadata,仍不執行 response。", "label": "Live Metadata 只讀", "runtime_gate_open": false, "stage_id": "L3" }, { "entry_criteria": "SOAR / active response / scan 只跑 dry-run、blast radius 與 rollback 演練。", "label": "Dry-run Automation", "runtime_gate_open": false, "stage_id": "L4" }, { "entry_criteria": "人工批准、維護窗口與 postcheck 完成後,才允許可回滾 response。", "label": "Human-approved Response", "runtime_gate_open": false, "stage_id": "L5" }, { "entry_criteria": "僅低風險、可回滾、已演練、有 receipt 的動作可逐步自動化。", "label": "Governed Low-risk Autonomy", "runtime_gate_open": false, "stage_id": "L6" } ], "operating_roles": [ { "label": "IwoooS 控制負責人", "responsibility": "維護控制域、例外、進度口徑與 LOGBOOK;不能直接開 runtime。", "role_id": "iwooos_control_owner", "runtime_gate_open": false }, { "label": "SOC 審查人", "responsibility": "審查 Wazuh / Kali / alert / forensic refs 是否脫敏、可交叉驗證。", "role_id": "soc_reviewer", "runtime_gate_open": false }, { "label": "事故指揮", "responsibility": "在 incident case 中確認 severity、scope、containment 候選與升級路線。", "role_id": "incident_commander", "runtime_gate_open": false }, { "label": "平台負責人", "responsibility": "負責 Nginx、K8s、Docker、systemd、runner 與 release impact 判讀。", "role_id": "platform_owner", "runtime_gate_open": false }, { "label": "服務負責人", "responsibility": "負責產品 / API / website / webhook 的影響範圍、驗證與回復責任。", "role_id": "service_owner", "runtime_gate_open": false }, { "label": "證據保管人", "responsibility": "維護 redacted evidence refs、chain of custody、retention 與 raw absence 證明。", "role_id": "evidence_custodian", "runtime_gate_open": false }, { "label": "變更管理人", "responsibility": "確認維護窗口、rollback owner、postcheck 與跨專案同步。", "role_id": "change_manager", "runtime_gate_open": false }, { "label": "AI 安全審查人", "responsibility": "審核 AI agent tool 權限、prompt redaction、過度代理與成本邊界。", "role_id": "ai_security_reviewer", "runtime_gate_open": false }, { "label": "風險負責人", "responsibility": "接受風險、例外期限、治理報告與資源優先序。", "role_id": "executive_risk_owner", "runtime_gate_open": false } ], "outcome_lanes": [ { "lane_id": "waiting_soc_owner_packet", "runtime_gate_open": false }, { "lane_id": "request_wazuh_event_supplement", "runtime_gate_open": false }, { "lane_id": "request_kali_scope_supplement", "runtime_gate_open": false }, { "lane_id": "request_host_forensic_supplement", "runtime_gate_open": false }, { "lane_id": "request_alert_chain_supplement", "runtime_gate_open": false }, { "lane_id": "request_gateway_diff_supplement", "runtime_gate_open": false }, { "lane_id": "request_supply_chain_supplement", "runtime_gate_open": false }, { "lane_id": "request_kev_cve_supplement", "runtime_gate_open": false }, { "lane_id": "quarantine_secret_or_raw_payload", "runtime_gate_open": false }, { "lane_id": "reject_claim_without_cross_evidence", "runtime_gate_open": false }, { "lane_id": "ready_for_soc_reviewer_review", "runtime_gate_open": false }, { "lane_id": "waiting_runtime_authorization", "runtime_gate_open": false }, { "lane_id": "blocked_no_rollback_or_postcheck", "runtime_gate_open": false }, { "lane_id": "route_to_high_value_config_gate", "runtime_gate_open": false } ], "required_owner_fields": [ "control_id", "owner_role", "owner_team", "decision", "decision_reason", "affected_scope_aliases", "asset_owner_map_ref", "signal_source_refs", "wazuh_manager_ref", "wazuh_agent_status_refs", "wazuh_event_refs", "kali_scope_ref", "kali_health_ref", "kali_finding_envelope_ref", "prometheus_alert_ref", "alertmanager_route_ref", "signoz_trace_ref", "sentry_issue_ref", "host_forensic_refs", "fim_or_persistence_refs", "network_detection_refs", "gateway_config_diff_refs", "runner_workflow_refs", "container_sbom_refs", "kev_or_cve_refs", "incident_case_ref", "severity_mapping_ref", "confidence_mapping_ref", "noise_budget_ref", "dedupe_fingerprint_ref", "redacted_evidence_refs", "raw_payload_absence_attestation", "secret_value_absence_attestation", "chain_of_custody_ref", "retention_policy_ref", "maintenance_window", "rollback_owner", "rollback_plan_ref", "validation_metrics", "postcheck_owner", "cross_project_sync_ref", "followup_owner" ], "reviewer_checks": [ { "check_id": "soc_review_01", "instruction": "owner role / team 必填" }, { "check_id": "soc_review_02", "instruction": "asset alias 必須脫敏" }, { "check_id": "soc_review_03", "instruction": "Wazuh event ref 不得是 raw payload" }, { "check_id": "soc_review_04", "instruction": "Kali finding 只能接 normalized envelope" }, { "check_id": "soc_review_05", "instruction": "Kali active scan 必須獨立批准" }, { "check_id": "soc_review_06", "instruction": "Kali /execute 必須維持封鎖" }, { "check_id": "soc_review_07", "instruction": "Prometheus / Alertmanager reload 未授權" }, { "check_id": "soc_review_08", "instruction": "Telegram 實發未授權" }, { "check_id": "soc_review_09", "instruction": "Sentry / SigNoz 只能作關聯證據" }, { "check_id": "soc_review_10", "instruction": "route 200 不得當資安通過" }, { "check_id": "soc_review_11", "instruction": "agent active 不得當入侵清除" }, { "check_id": "soc_review_12", "instruction": "dashboard up 不得當事件結案" }, { "check_id": "soc_review_13", "instruction": "host forensic refs 必須含時間窗" }, { "check_id": "soc_review_14", "instruction": "FIM / persistence refs 必須標示來源" }, { "check_id": "soc_review_15", "instruction": "network detection refs 不得含 raw packet payload" }, { "check_id": "soc_review_16", "instruction": "secret value / hash / partial token 一律拒收" }, { "check_id": "soc_review_17", "instruction": "runner / workflow / deploy key 只收 metadata" }, { "check_id": "soc_review_18", "instruction": "CVE / KEV 必須有 owner 與 SLA" }, { "check_id": "soc_review_19", "instruction": "false positive handling 必須可追蹤" }, { "check_id": "soc_review_20", "instruction": "dedupe fingerprint 必須穩定" }, { "check_id": "soc_review_21", "instruction": "noise budget 必須列收斂策略" }, { "check_id": "soc_review_22", "instruction": "case escalation 必須有 owner" }, { "check_id": "soc_review_23", "instruction": "maintenance window 必須存在" }, { "check_id": "soc_review_24", "instruction": "rollback owner 必須存在" }, { "check_id": "soc_review_25", "instruction": "postcheck 必須獨立" }, { "check_id": "soc_review_26", "instruction": "cross-project sync 必須存在" }, { "check_id": "soc_review_27", "instruction": "LOGBOOK 更新不能含內部逐字稿" }, { "check_id": "soc_review_28", "instruction": "前台不得顯示個人 namespace 原文" }, { "check_id": "soc_review_29", "instruction": "SOAR 只能 draft 不得 auto block" }, { "check_id": "soc_review_30", "instruction": "active response 先 dry-run" }, { "check_id": "soc_review_31", "instruction": "NDR / IPS 不能直接進 blocking" }, { "check_id": "soc_review_32", "instruction": "firewall containment 必須 break-glass 或維護窗口" }, { "check_id": "soc_review_33", "instruction": "package patch 需維護窗口" }, { "check_id": "soc_review_34", "instruction": "backup / restore proof 不能用備份存在代替" }, { "check_id": "soc_review_35", "instruction": "all accepted / authorized / executed counters 必須維持 0" }, { "check_id": "soc_review_36", "instruction": "runtime gate 必須維持 0" } ], "schema_version": "soc_siem_kali_wazuh_integration_control_v1", "signal_sources": [ { "label": "Wazuh endpoint / agent / FIM alerts", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "wazuh_endpoint_alerts" }, { "label": "Kali 112 health / scope / normalized findings", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "kali_112_health_findings" }, { "label": "Prometheus / Alertmanager rules and delivery chain", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "prometheus_alertmanager" }, { "label": "SigNoz traces / metrics / errors", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "signoz_apm_traces" }, { "label": "Sentry application and frontend errors", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "sentry_application_errors" }, { "label": "Nginx / gateway / TLS / ACME / upstream evidence", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "nginx_gateway_tls" }, { "label": "Host auth / process / network / package evidence", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "host_auth_process_network" }, { "label": "Docker / systemd / process / port binding evidence", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "docker_systemd_runtime" }, { "label": "K8s / ArgoCD / RBAC / NetworkPolicy evidence", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "k8s_argocd_gitops" }, { "label": "Gitea / runner / workflow / deploy key evidence", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "gitea_runner_workflow" }, { "label": "Harbor / registry / container image / SBOM evidence", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "harbor_container_sbom" }, { "label": "Backup / restore / offsite / escrow / cold-start evidence", "live_query_authorized": false, "redacted_evidence_only": true, "source_id": "backup_restore_dr" } ], "standard_frameworks": [ { "framework_id": "nist_csf_2_0", "integration_intent": "將資安監控與回應放進治理、辨識、防護、偵測、回應與復原閉環。", "label": "NIST CSF 2.0", "mapped_functions": [ "Govern", "Identify", "Protect", "Detect", "Respond", "Recover" ], "source_url": "https://www.nist.gov/cyberframework" }, { "framework_id": "nist_sp_800_61_r3", "integration_intent": "將事件處理生命週期轉成 IwoooS case gate、postcheck 與 lesson learned 回寫。", "label": "NIST SP 800-61 Rev. 3", "mapped_functions": [ "Prepare", "Detect", "Analyze", "Respond", "Recover", "Improve" ], "source_url": "https://csrc.nist.gov/pubs/sp/800/61/r3/final" }, { "framework_id": "cis_controls_v8_1", "integration_intent": "把資產、弱點、稽核日誌、惡意程式防護、復原與權限審查納入 IwoooS。", "label": "CIS Controls v8.1", "mapped_functions": [ "Inventory", "Vulnerability", "Audit Log", "Malware", "Recovery", "Access" ], "source_url": "https://www.cisecurity.org/controls/v8" }, { "framework_id": "cisa_zero_trust_maturity_model", "integration_intent": "以 identity、device、network、application、data 與 visibility / automation 作為零信任成熟度對照。", "label": "CISA Zero Trust Maturity Model", "mapped_functions": [ "Identity", "Devices", "Networks", "Applications", "Data", "Visibility" ], "source_url": "https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model" }, { "framework_id": "cisa_kev_prioritization", "integration_intent": "以已知遭利用漏洞作為漏洞修補與維護窗口排序依據。", "label": "CISA KEV 優先化", "mapped_functions": [ "Known exploited vulnerability", "Patch priority", "Owner SLA" ], "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "framework_id": "mitre_attack_d3fend", "integration_intent": "以 ATT&CK 描述攻擊行為與資料源,再用 D3FEND 對應防禦與驗證缺口。", "label": "MITRE ATT&CK / D3FEND", "mapped_functions": [ "Tactic", "Technique", "Data source", "Detection", "Mitigation", "Countermeasure" ], "source_url": "https://attack.mitre.org/" }, { "framework_id": "owasp_asvs_samm", "integration_intent": "把應用層安全驗證、secure SDLC 與 API / auth / logging 控制納入 IwoooS。", "label": "OWASP ASVS / SAMM", "mapped_functions": [ "Security requirement", "Verification", "Secure SDLC", "Logging", "Access control" ], "source_url": "https://owasp.org/www-project-application-security-verification-standard/" }, { "framework_id": "wazuh_xdr_siem", "integration_intent": "將 endpoint / host 訊號、檔案完整性、事件規則與 response 邊界納入 IwoooS。", "label": "Wazuh XDR / SIEM", "mapped_functions": [ "Agent telemetry", "FIM", "Rule", "Decoder", "Alert", "Active response dry-run" ], "source_url": "https://documentation.wazuh.com/current/index.html" }, { "framework_id": "wazuh_active_response_model", "integration_intent": "只採用 active response 的能力模型;IwoooS 目前只做 dry-run 與 rollback gate,不啟用 response。", "label": "Wazuh Active Response", "mapped_functions": [ "Trigger", "Command", "Scope", "Timeout", "Rollback", "Dry-run gate" ], "source_url": "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html" }, { "framework_id": "prometheus_alertmanager", "integration_intent": "把告警分組、去重、路由、抑制與 receipt 驗收納入 no-false-green 告警鏈。", "label": "Prometheus Alertmanager", "mapped_functions": [ "Grouping", "Deduplication", "Routing", "Silencing", "Inhibition", "Receipt" ], "source_url": "https://prometheus.io/docs/alerting/latest/alertmanager/" }, { "framework_id": "opentelemetry_observability", "integration_intent": "以 vendor-neutral telemetry 口徑把 traces、metrics、logs 與 resource 關聯到事件證據。", "label": "OpenTelemetry observability", "mapped_functions": [ "Trace", "Metric", "Log", "Resource", "Correlation", "Semantic convention" ], "source_url": "https://opentelemetry.io/docs/what-is-opentelemetry/" }, { "framework_id": "slsa_sigstore_sbom", "integration_intent": "把 build provenance、artifact integrity、SBOM 與簽章驗證轉成供應鏈 evidence lane。", "label": "SLSA / Sigstore / SBOM", "mapped_functions": [ "Provenance", "Build integrity", "Artifact signing", "SBOM", "Verification" ], "source_url": "https://slsa.dev/" }, { "framework_id": "ndr_ids_suricata_zeek", "integration_intent": "將網路偵測與封包層線索納入未來 NDR lane;IPS 仍需獨立批准。", "label": "Suricata / Zeek NDR", "mapped_functions": [ "Network detection", "Passive telemetry", "Rule hit", "Flow", "Future IPS gate" ], "source_url": "https://suricata.io/" }, { "framework_id": "kali_assessment_tooling", "integration_intent": "Kali 112 作為安全驗證與工具節點,先接只讀 health / scope / finding contract。", "label": "Kali assessment tooling", "mapped_functions": [ "Health", "Scope", "Safe crawl", "Tool version", "Finding normalization" ], "source_url": "https://www.kali.org/docs/" } ], "status": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action", "summary": { "action_button_count": 0, "active_response_enabled_count": 0, "alert_route_accepted_count": 0, "alertmanager_reload_authorized_count": 0, "auto_block_authorized_count": 0, "blocked_action_count": 103, "c0_control_candidate_count": 12, "c0_control_domain_count": 12, "c1_control_candidate_count": 8, "c1_control_domain_count": 4, "control_candidate_count": 20, "control_domain_count": 16, "coverage_percent_after_soc_integration_control": 78, "forensic_evidence_accepted_count": 0, "incident_case_accepted_count": 0, "incident_lifecycle_stage_count": 8, "kali_active_scan_authorized_count": 0, "kali_execute_authorized_count": 0, "kali_finding_envelope_accepted_count": 0, "kali_scope_ref_accepted_count": 0, "maturity_stage_count": 7, "monitoring_alerting_observability_coverage_percent_after_soc_control": 78, "operating_role_count": 9, "outcome_lane_count": 14, "owner_response_accepted_count": 0, "owner_response_received_count": 0, "p0_control_candidate_count": 12, "p1_control_candidate_count": 8, "prometheus_reload_authorized_count": 0, "required_owner_field_count": 42, "reviewer_check_count": 36, "runtime_gate_count": 0, "security_evidence_tooling_coverage_percent_after_soc_control": 88, "siem_correlation_rule_accepted_count": 0, "signal_source_count": 12, "soar_case_create_authorized_count": 0, "standard_framework_count": 14, "telegram_send_authorized_count": 0, "validation_gate_count": 18, "wazuh_event_ref_received_count": 0 }, "validation_gates": [ { "accepted": false, "gate_id": "asset_owner_mapping_verified", "runtime_gate_open": false }, { "accepted": false, "gate_id": "source_to_live_diff_available", "runtime_gate_open": false }, { "accepted": false, "gate_id": "redacted_evidence_refs_present", "runtime_gate_open": false }, { "accepted": false, "gate_id": "raw_payload_absence_attested", "runtime_gate_open": false }, { "accepted": false, "gate_id": "secret_value_absence_attested", "runtime_gate_open": false }, { "accepted": false, "gate_id": "wazuh_manager_registry_truth_received", "runtime_gate_open": false }, { "accepted": false, "gate_id": "kali_scope_and_finding_envelope_accepted", "runtime_gate_open": false }, { "accepted": false, "gate_id": "alert_route_receipt_available", "runtime_gate_open": false }, { "accepted": false, "gate_id": "incident_case_id_present", "runtime_gate_open": false }, { "accepted": false, "gate_id": "severity_confidence_mapping_reviewed", "runtime_gate_open": false }, { "accepted": false, "gate_id": "forensic_time_window_present", "runtime_gate_open": false }, { "accepted": false, "gate_id": "chain_of_custody_present", "runtime_gate_open": false }, { "accepted": false, "gate_id": "kev_or_cve_prioritization_done", "runtime_gate_open": false }, { "accepted": false, "gate_id": "rollback_owner_present", "runtime_gate_open": false }, { "accepted": false, "gate_id": "maintenance_window_present", "runtime_gate_open": false }, { "accepted": false, "gate_id": "postcheck_metrics_present", "runtime_gate_open": false }, { "accepted": false, "gate_id": "cross_project_sync_recorded", "runtime_gate_open": false }, { "accepted": false, "gate_id": "production_desktop_mobile_smoke_passed", "runtime_gate_open": false } ] }