Files
awoooi/docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json
ogt 20c2c81f85
Some checks failed
Code Review / ai-code-review (push) Successful in 14s
CD Pipeline / tests (push) Successful in 1m41s
CD Pipeline / build-and-deploy (push) Successful in 4m34s
CD Pipeline / post-deploy-checks (push) Successful in 1m43s
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
feat(iwooos): professionalize SOC operating model
2026-06-25 15:16:14 +08:00

1209 lines
36 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"blocked_actions": [
"call_wazuh_api_live",
"enable_wazuh_active_response",
"install_wazuh_agent",
"restart_wazuh_agent",
"change_wazuh_rule",
"change_wazuh_decoder",
"store_raw_wazuh_payload",
"read_wazuh_password",
"disable_wazuh_tls_verification",
"call_kali_scan",
"call_kali_execute",
"run_kali_active_scan",
"run_kali_credentialed_scan",
"run_nmap_scan",
"run_nuclei_scan",
"run_nikto_scan",
"run_trivy_scan_live",
"run_lynis_scan_live",
"update_kali_packages",
"reboot_kali_host",
"change_kali_service",
"ssh_to_host",
"sudo_action",
"read_host_live_log",
"read_host_env",
"write_host_file",
"kill_process",
"isolate_host",
"docker_restart",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_change",
"route_change",
"upstream_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"prometheus_reload",
"alertmanager_reload",
"grafana_dashboard_apply",
"signoz_rule_apply",
"sentry_config_change",
"langfuse_config_change",
"otel_collector_reload",
"receiver_route_change",
"silence_policy_change",
"telegram_send",
"notification_route_change",
"webhook_receiver_change",
"remote_write_change",
"exporter_deploy",
"live_alert_fire",
"alert_chain_smoke_live",
"create_soar_case_live",
"run_soar_playbook",
"auto_block_ip",
"auto_quarantine_endpoint",
"auto_rotate_secret",
"workflow_modification",
"gitea_action_dispatch",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_secret_hash",
"collect_partial_token",
"store_raw_packet",
"store_raw_log",
"store_unredacted_screenshot",
"database_migration",
"production_write",
"open_runtime_gate",
"add_action_button",
"force_push",
"sync_git_refs",
"switch_github_primary",
"change_codeowners",
"change_branch_protection",
"change_cors",
"disable_rate_limit"
],
"control_candidates": [
{
"control_id": "SOC-P0-01",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "資產與 owner 對應表先完整"
},
{
"control_id": "SOC-P0-02",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "Wazuh agent / manager / indexer / dashboard health ref 收件"
},
{
"control_id": "SOC-P0-03",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "Host auth / process / network / FIM 訊號正規化"
},
{
"control_id": "SOC-P0-04",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "Kali 112 health / tool version / scope approval 串接"
},
{
"control_id": "SOC-P0-05",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "Kali finding 只接脫敏 envelope不接 raw output"
},
{
"control_id": "SOC-P0-06",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "Prometheus / Alertmanager / Telegram 告警鏈 no-false-green"
},
{
"control_id": "SOC-P0-07",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "Sentry / SigNoz 與主機入侵線索關聯"
},
{
"control_id": "SOC-P0-08",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "Nginx / firewall / route / TLS / gateway drift 關聯到 SIEM"
},
{
"control_id": "SOC-P0-09",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "Gitea / runner / workflow / secret metadata 供應鏈關聯"
},
{
"control_id": "SOC-P0-10",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "CISA KEV / CVE / package / image 風險排序"
},
{
"control_id": "SOC-P0-11",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "Incident case / owner response / escalation queue"
},
{
"control_id": "SOC-P0-12",
"control_tier": "C0",
"owner_response_required": true,
"priority": "P0",
"runtime_gate_open": false,
"title": "鑑識證據、chain of custody、redaction 與保存期"
},
{
"control_id": "SOC-P1-13",
"control_tier": "C1",
"owner_response_required": true,
"priority": "P1",
"runtime_gate_open": false,
"title": "Suricata / NDR passive telemetry lane"
},
{
"control_id": "SOC-P1-14",
"control_tier": "C1",
"owner_response_required": true,
"priority": "P1",
"runtime_gate_open": false,
"title": "Web / API appsec logging 與 OWASP ASVS 驗證"
},
{
"control_id": "SOC-P1-15",
"control_tier": "C1",
"owner_response_required": true,
"priority": "P1",
"runtime_gate_open": false,
"title": "Backup / restore / DR recovery proof 串回 incident"
},
{
"control_id": "SOC-P1-16",
"control_tier": "C1",
"owner_response_required": true,
"priority": "P1",
"runtime_gate_open": false,
"title": "SOC KPI / dashboard / LOGBOOK / executive reporting"
},
{
"control_id": "SOC-P1-17",
"control_tier": "C1",
"owner_response_required": true,
"priority": "P1",
"runtime_gate_open": false,
"title": "SOAR draft / case automation 只建立候選,不自動封鎖"
},
{
"control_id": "SOC-P1-18",
"control_tier": "C1",
"owner_response_required": true,
"priority": "P1",
"runtime_gate_open": false,
"title": "Wazuh active response dry-run 與 rollback gate"
},
{
"control_id": "SOC-P1-19",
"control_tier": "C1",
"owner_response_required": true,
"priority": "P1",
"runtime_gate_open": false,
"title": "Kali active / credentialed scan approval package"
},
{
"control_id": "SOC-P1-20",
"control_tier": "C1",
"owner_response_required": true,
"priority": "P1",
"runtime_gate_open": false,
"title": "NDR / IPS / firewall containment promotion criteria"
}
],
"control_domains": [
{
"control_tier": "C0",
"domain_id": "asset_inventory_owner",
"label": "資產 / owner / attack surface inventory",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C0",
"domain_id": "endpoint_log_collection",
"label": "Endpoint / host / auth / process log collection",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C0",
"domain_id": "fim_persistence_detection",
"label": "FIM / persistence / malware signal",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C0",
"domain_id": "vulnerability_kev_prioritization",
"label": "CVE / KEV / package / image prioritization",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C0",
"domain_id": "network_detection_response",
"label": "NDR / IDS / firewall / WireGuard / NodePort evidence",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C0",
"domain_id": "wazuh_siem_correlation",
"label": "Wazuh SIEM correlation / rule / decoder readback",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C0",
"domain_id": "kali_assessment_orchestration",
"label": "Kali 112 scanner health / scope / finding normalization",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C0",
"domain_id": "alert_routing_noise_budget",
"label": "Alert routing / dedup / inhibit / noise budget",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C0",
"domain_id": "incident_case_management",
"label": "Incident / case / owner response / escalation",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C0",
"domain_id": "forensic_evidence_retention",
"label": "Forensic evidence retention / redaction / chain of custody",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C0",
"domain_id": "config_drift_control",
"label": "Nginx / host / K8s / runner / workflow config drift",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C0",
"domain_id": "supply_chain_ci_cd",
"label": "Gitea / runner / workflow / Harbor / SBOM / image evidence",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C1",
"domain_id": "identity_secret_access",
"label": "IAM / SSH / sudo / secret / token exposure control",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C1",
"domain_id": "web_api_appsec_logging",
"label": "Web / API appsec logging / auth / rate-limit / headers",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C1",
"domain_id": "backup_recovery_dr",
"label": "Backup / restore / escrow / DR recovery proof",
"owner_response_required": true,
"runtime_gate_open": false
},
{
"control_tier": "C1",
"domain_id": "executive_reporting_metrics",
"label": "Dashboard / KPI / LOGBOOK / no-false-green reporting",
"owner_response_required": true,
"runtime_gate_open": false
}
],
"execution_boundaries": {
"action_buttons_allowed": false,
"active_scan_authorized": false,
"alertmanager_reload_authorized": false,
"auto_block_authorized": false,
"credentialed_scan_authorized": false,
"firewall_change_authorized": false,
"host_write_authorized": false,
"kali_execute_authorized": false,
"kali_scan_authorized": false,
"nginx_reload_authorized": false,
"not_authorization": true,
"production_write_authorized": false,
"prometheus_reload_authorized": false,
"raw_payload_storage_allowed": false,
"runtime_execution_authorized": false,
"runtime_gate_open": false,
"secret_value_collection_allowed": false,
"soar_case_create_authorized": false,
"ssh_write_authorized": false,
"telegram_send_authorized": false,
"wazuh_active_response_authorized": false,
"wazuh_api_live_query_authorized": false
},
"generated_at": "2026-06-25T16:20:00+08:00",
"git_commit": "c07fefbe",
"incident_lifecycle_stages": [
{
"control_intent": "資產、owner、控制域、例外、權限與證據模板先就緒。",
"label": "準備與治理",
"runtime_gate_open": false,
"stage_id": "prepare_govern"
},
{
"control_intent": "Wazuh、Alertmanager、SigNoz、Sentry、Nginx、K8s、Gitea 訊號統一成脫敏事件。",
"label": "偵測與正規化",
"runtime_gate_open": false,
"stage_id": "detect_normalize"
},
{
"control_intent": "用 severity、confidence、KEV、ATT&CK、asset criticality 與 noise budget 排序。",
"label": "分流與排序",
"runtime_gate_open": false,
"stage_id": "triage_prioritize"
},
{
"control_intent": "串 Wazuh event、Kali scope、host forensic、gateway diff、supply-chain 與 timeline refs。",
"label": "調查與關聯",
"runtime_gate_open": false,
"stage_id": "investigate_correlate"
},
{
"control_intent": "只產生 containment 候選;無 owner、rollback、maintenance window 不得執行。",
"label": "圍堵決策",
"runtime_gate_open": false,
"stage_id": "containment_decision"
},
{
"control_intent": "清除、修補、還原與服務恢復都必須有 postcheck 與 no-false-green 證據。",
"label": "清除與復原",
"runtime_gate_open": false,
"stage_id": "eradicate_recover"
},
{
"control_intent": "回寫 detection gap、false positive、playbook、owner SLA、LOGBOOK 與風險例外。",
"label": "事後學習",
"runtime_gate_open": false,
"stage_id": "post_incident_learning"
},
{
"control_intent": "用 KPI、演練、tabletop、purple-team 與 evidence aging 收斂下一輪優先序。",
"label": "持續改善",
"runtime_gate_open": false,
"stage_id": "continuous_improvement"
}
],
"maturity_stages": [
{
"entry_criteria": "工具與文件分散,不能宣稱 SOC 形成。",
"label": "分散觀測",
"runtime_gate_open": false,
"stage_id": "L0"
},
{
"entry_criteria": "repo / snapshot / guard / frontstage marker 可重跑runtime 維持 0。",
"label": "只讀證據",
"runtime_gate_open": false,
"stage_id": "L1"
},
{
"entry_criteria": "owner、scope、evidence refs、rollback、postcheck 與 redaction 證明可驗收。",
"label": "Owner Packet",
"runtime_gate_open": false,
"stage_id": "L2"
},
{
"entry_criteria": "在獨立批准後接只讀 live metadata仍不執行 response。",
"label": "Live Metadata 只讀",
"runtime_gate_open": false,
"stage_id": "L3"
},
{
"entry_criteria": "SOAR / active response / scan 只跑 dry-run、blast radius 與 rollback 演練。",
"label": "Dry-run Automation",
"runtime_gate_open": false,
"stage_id": "L4"
},
{
"entry_criteria": "人工批准、維護窗口與 postcheck 完成後,才允許可回滾 response。",
"label": "Human-approved Response",
"runtime_gate_open": false,
"stage_id": "L5"
},
{
"entry_criteria": "僅低風險、可回滾、已演練、有 receipt 的動作可逐步自動化。",
"label": "Governed Low-risk Autonomy",
"runtime_gate_open": false,
"stage_id": "L6"
}
],
"operating_roles": [
{
"label": "IwoooS 控制負責人",
"responsibility": "維護控制域、例外、進度口徑與 LOGBOOK不能直接開 runtime。",
"role_id": "iwooos_control_owner",
"runtime_gate_open": false
},
{
"label": "SOC 審查人",
"responsibility": "審查 Wazuh / Kali / alert / forensic refs 是否脫敏、可交叉驗證。",
"role_id": "soc_reviewer",
"runtime_gate_open": false
},
{
"label": "事故指揮",
"responsibility": "在 incident case 中確認 severity、scope、containment 候選與升級路線。",
"role_id": "incident_commander",
"runtime_gate_open": false
},
{
"label": "平台負責人",
"responsibility": "負責 Nginx、K8s、Docker、systemd、runner 與 release impact 判讀。",
"role_id": "platform_owner",
"runtime_gate_open": false
},
{
"label": "服務負責人",
"responsibility": "負責產品 / API / website / webhook 的影響範圍、驗證與回復責任。",
"role_id": "service_owner",
"runtime_gate_open": false
},
{
"label": "證據保管人",
"responsibility": "維護 redacted evidence refs、chain of custody、retention 與 raw absence 證明。",
"role_id": "evidence_custodian",
"runtime_gate_open": false
},
{
"label": "變更管理人",
"responsibility": "確認維護窗口、rollback owner、postcheck 與跨專案同步。",
"role_id": "change_manager",
"runtime_gate_open": false
},
{
"label": "AI 安全審查人",
"responsibility": "審核 AI agent tool 權限、prompt redaction、過度代理與成本邊界。",
"role_id": "ai_security_reviewer",
"runtime_gate_open": false
},
{
"label": "風險負責人",
"responsibility": "接受風險、例外期限、治理報告與資源優先序。",
"role_id": "executive_risk_owner",
"runtime_gate_open": false
}
],
"outcome_lanes": [
{
"lane_id": "waiting_soc_owner_packet",
"runtime_gate_open": false
},
{
"lane_id": "request_wazuh_event_supplement",
"runtime_gate_open": false
},
{
"lane_id": "request_kali_scope_supplement",
"runtime_gate_open": false
},
{
"lane_id": "request_host_forensic_supplement",
"runtime_gate_open": false
},
{
"lane_id": "request_alert_chain_supplement",
"runtime_gate_open": false
},
{
"lane_id": "request_gateway_diff_supplement",
"runtime_gate_open": false
},
{
"lane_id": "request_supply_chain_supplement",
"runtime_gate_open": false
},
{
"lane_id": "request_kev_cve_supplement",
"runtime_gate_open": false
},
{
"lane_id": "quarantine_secret_or_raw_payload",
"runtime_gate_open": false
},
{
"lane_id": "reject_claim_without_cross_evidence",
"runtime_gate_open": false
},
{
"lane_id": "ready_for_soc_reviewer_review",
"runtime_gate_open": false
},
{
"lane_id": "waiting_runtime_authorization",
"runtime_gate_open": false
},
{
"lane_id": "blocked_no_rollback_or_postcheck",
"runtime_gate_open": false
},
{
"lane_id": "route_to_high_value_config_gate",
"runtime_gate_open": false
}
],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"asset_owner_map_ref",
"signal_source_refs",
"wazuh_manager_ref",
"wazuh_agent_status_refs",
"wazuh_event_refs",
"kali_scope_ref",
"kali_health_ref",
"kali_finding_envelope_ref",
"prometheus_alert_ref",
"alertmanager_route_ref",
"signoz_trace_ref",
"sentry_issue_ref",
"host_forensic_refs",
"fim_or_persistence_refs",
"network_detection_refs",
"gateway_config_diff_refs",
"runner_workflow_refs",
"container_sbom_refs",
"kev_or_cve_refs",
"incident_case_ref",
"severity_mapping_ref",
"confidence_mapping_ref",
"noise_budget_ref",
"dedupe_fingerprint_ref",
"redacted_evidence_refs",
"raw_payload_absence_attestation",
"secret_value_absence_attestation",
"chain_of_custody_ref",
"retention_policy_ref",
"maintenance_window",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"cross_project_sync_ref",
"followup_owner"
],
"reviewer_checks": [
{
"check_id": "soc_review_01",
"instruction": "owner role / team 必填"
},
{
"check_id": "soc_review_02",
"instruction": "asset alias 必須脫敏"
},
{
"check_id": "soc_review_03",
"instruction": "Wazuh event ref 不得是 raw payload"
},
{
"check_id": "soc_review_04",
"instruction": "Kali finding 只能接 normalized envelope"
},
{
"check_id": "soc_review_05",
"instruction": "Kali active scan 必須獨立批准"
},
{
"check_id": "soc_review_06",
"instruction": "Kali /execute 必須維持封鎖"
},
{
"check_id": "soc_review_07",
"instruction": "Prometheus / Alertmanager reload 未授權"
},
{
"check_id": "soc_review_08",
"instruction": "Telegram 實發未授權"
},
{
"check_id": "soc_review_09",
"instruction": "Sentry / SigNoz 只能作關聯證據"
},
{
"check_id": "soc_review_10",
"instruction": "route 200 不得當資安通過"
},
{
"check_id": "soc_review_11",
"instruction": "agent active 不得當入侵清除"
},
{
"check_id": "soc_review_12",
"instruction": "dashboard up 不得當事件結案"
},
{
"check_id": "soc_review_13",
"instruction": "host forensic refs 必須含時間窗"
},
{
"check_id": "soc_review_14",
"instruction": "FIM / persistence refs 必須標示來源"
},
{
"check_id": "soc_review_15",
"instruction": "network detection refs 不得含 raw packet payload"
},
{
"check_id": "soc_review_16",
"instruction": "secret value / hash / partial token 一律拒收"
},
{
"check_id": "soc_review_17",
"instruction": "runner / workflow / deploy key 只收 metadata"
},
{
"check_id": "soc_review_18",
"instruction": "CVE / KEV 必須有 owner 與 SLA"
},
{
"check_id": "soc_review_19",
"instruction": "false positive handling 必須可追蹤"
},
{
"check_id": "soc_review_20",
"instruction": "dedupe fingerprint 必須穩定"
},
{
"check_id": "soc_review_21",
"instruction": "noise budget 必須列收斂策略"
},
{
"check_id": "soc_review_22",
"instruction": "case escalation 必須有 owner"
},
{
"check_id": "soc_review_23",
"instruction": "maintenance window 必須存在"
},
{
"check_id": "soc_review_24",
"instruction": "rollback owner 必須存在"
},
{
"check_id": "soc_review_25",
"instruction": "postcheck 必須獨立"
},
{
"check_id": "soc_review_26",
"instruction": "cross-project sync 必須存在"
},
{
"check_id": "soc_review_27",
"instruction": "LOGBOOK 更新不能含內部逐字稿"
},
{
"check_id": "soc_review_28",
"instruction": "前台不得顯示個人 namespace 原文"
},
{
"check_id": "soc_review_29",
"instruction": "SOAR 只能 draft 不得 auto block"
},
{
"check_id": "soc_review_30",
"instruction": "active response 先 dry-run"
},
{
"check_id": "soc_review_31",
"instruction": "NDR / IPS 不能直接進 blocking"
},
{
"check_id": "soc_review_32",
"instruction": "firewall containment 必須 break-glass 或維護窗口"
},
{
"check_id": "soc_review_33",
"instruction": "package patch 需維護窗口"
},
{
"check_id": "soc_review_34",
"instruction": "backup / restore proof 不能用備份存在代替"
},
{
"check_id": "soc_review_35",
"instruction": "all accepted / authorized / executed counters 必須維持 0"
},
{
"check_id": "soc_review_36",
"instruction": "runtime gate 必須維持 0"
}
],
"schema_version": "soc_siem_kali_wazuh_integration_control_v1",
"signal_sources": [
{
"label": "Wazuh endpoint / agent / FIM alerts",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "wazuh_endpoint_alerts"
},
{
"label": "Kali 112 health / scope / normalized findings",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "kali_112_health_findings"
},
{
"label": "Prometheus / Alertmanager rules and delivery chain",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "prometheus_alertmanager"
},
{
"label": "SigNoz traces / metrics / errors",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "signoz_apm_traces"
},
{
"label": "Sentry application and frontend errors",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "sentry_application_errors"
},
{
"label": "Nginx / gateway / TLS / ACME / upstream evidence",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "nginx_gateway_tls"
},
{
"label": "Host auth / process / network / package evidence",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "host_auth_process_network"
},
{
"label": "Docker / systemd / process / port binding evidence",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "docker_systemd_runtime"
},
{
"label": "K8s / ArgoCD / RBAC / NetworkPolicy evidence",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "k8s_argocd_gitops"
},
{
"label": "Gitea / runner / workflow / deploy key evidence",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "gitea_runner_workflow"
},
{
"label": "Harbor / registry / container image / SBOM evidence",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "harbor_container_sbom"
},
{
"label": "Backup / restore / offsite / escrow / cold-start evidence",
"live_query_authorized": false,
"redacted_evidence_only": true,
"source_id": "backup_restore_dr"
}
],
"standard_frameworks": [
{
"framework_id": "nist_csf_2_0",
"integration_intent": "將資安監控與回應放進治理、辨識、防護、偵測、回應與復原閉環。",
"label": "NIST CSF 2.0",
"mapped_functions": [
"Govern",
"Identify",
"Protect",
"Detect",
"Respond",
"Recover"
],
"source_url": "https://www.nist.gov/cyberframework"
},
{
"framework_id": "nist_sp_800_61_r3",
"integration_intent": "將事件處理生命週期轉成 IwoooS case gate、postcheck 與 lesson learned 回寫。",
"label": "NIST SP 800-61 Rev. 3",
"mapped_functions": [
"Prepare",
"Detect",
"Analyze",
"Respond",
"Recover",
"Improve"
],
"source_url": "https://csrc.nist.gov/pubs/sp/800/61/r3/final"
},
{
"framework_id": "cis_controls_v8_1",
"integration_intent": "把資產、弱點、稽核日誌、惡意程式防護、復原與權限審查納入 IwoooS。",
"label": "CIS Controls v8.1",
"mapped_functions": [
"Inventory",
"Vulnerability",
"Audit Log",
"Malware",
"Recovery",
"Access"
],
"source_url": "https://www.cisecurity.org/controls/v8"
},
{
"framework_id": "cisa_zero_trust_maturity_model",
"integration_intent": "以 identity、device、network、application、data 與 visibility / automation 作為零信任成熟度對照。",
"label": "CISA Zero Trust Maturity Model",
"mapped_functions": [
"Identity",
"Devices",
"Networks",
"Applications",
"Data",
"Visibility"
],
"source_url": "https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model"
},
{
"framework_id": "cisa_kev_prioritization",
"integration_intent": "以已知遭利用漏洞作為漏洞修補與維護窗口排序依據。",
"label": "CISA KEV 優先化",
"mapped_functions": [
"Known exploited vulnerability",
"Patch priority",
"Owner SLA"
],
"source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"framework_id": "mitre_attack_d3fend",
"integration_intent": "以 ATT&CK 描述攻擊行為與資料源,再用 D3FEND 對應防禦與驗證缺口。",
"label": "MITRE ATT&CK / D3FEND",
"mapped_functions": [
"Tactic",
"Technique",
"Data source",
"Detection",
"Mitigation",
"Countermeasure"
],
"source_url": "https://attack.mitre.org/"
},
{
"framework_id": "owasp_asvs_samm",
"integration_intent": "把應用層安全驗證、secure SDLC 與 API / auth / logging 控制納入 IwoooS。",
"label": "OWASP ASVS / SAMM",
"mapped_functions": [
"Security requirement",
"Verification",
"Secure SDLC",
"Logging",
"Access control"
],
"source_url": "https://owasp.org/www-project-application-security-verification-standard/"
},
{
"framework_id": "wazuh_xdr_siem",
"integration_intent": "將 endpoint / host 訊號、檔案完整性、事件規則與 response 邊界納入 IwoooS。",
"label": "Wazuh XDR / SIEM",
"mapped_functions": [
"Agent telemetry",
"FIM",
"Rule",
"Decoder",
"Alert",
"Active response dry-run"
],
"source_url": "https://documentation.wazuh.com/current/index.html"
},
{
"framework_id": "wazuh_active_response_model",
"integration_intent": "只採用 active response 的能力模型IwoooS 目前只做 dry-run 與 rollback gate不啟用 response。",
"label": "Wazuh Active Response",
"mapped_functions": [
"Trigger",
"Command",
"Scope",
"Timeout",
"Rollback",
"Dry-run gate"
],
"source_url": "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html"
},
{
"framework_id": "prometheus_alertmanager",
"integration_intent": "把告警分組、去重、路由、抑制與 receipt 驗收納入 no-false-green 告警鏈。",
"label": "Prometheus Alertmanager",
"mapped_functions": [
"Grouping",
"Deduplication",
"Routing",
"Silencing",
"Inhibition",
"Receipt"
],
"source_url": "https://prometheus.io/docs/alerting/latest/alertmanager/"
},
{
"framework_id": "opentelemetry_observability",
"integration_intent": "以 vendor-neutral telemetry 口徑把 traces、metrics、logs 與 resource 關聯到事件證據。",
"label": "OpenTelemetry observability",
"mapped_functions": [
"Trace",
"Metric",
"Log",
"Resource",
"Correlation",
"Semantic convention"
],
"source_url": "https://opentelemetry.io/docs/what-is-opentelemetry/"
},
{
"framework_id": "slsa_sigstore_sbom",
"integration_intent": "把 build provenance、artifact integrity、SBOM 與簽章驗證轉成供應鏈 evidence lane。",
"label": "SLSA / Sigstore / SBOM",
"mapped_functions": [
"Provenance",
"Build integrity",
"Artifact signing",
"SBOM",
"Verification"
],
"source_url": "https://slsa.dev/"
},
{
"framework_id": "ndr_ids_suricata_zeek",
"integration_intent": "將網路偵測與封包層線索納入未來 NDR laneIPS 仍需獨立批准。",
"label": "Suricata / Zeek NDR",
"mapped_functions": [
"Network detection",
"Passive telemetry",
"Rule hit",
"Flow",
"Future IPS gate"
],
"source_url": "https://suricata.io/"
},
{
"framework_id": "kali_assessment_tooling",
"integration_intent": "Kali 112 作為安全驗證與工具節點,先接只讀 health / scope / finding contract。",
"label": "Kali assessment tooling",
"mapped_functions": [
"Health",
"Scope",
"Safe crawl",
"Tool version",
"Finding normalization"
],
"source_url": "https://www.kali.org/docs/"
}
],
"status": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action",
"summary": {
"action_button_count": 0,
"active_response_enabled_count": 0,
"alert_route_accepted_count": 0,
"alertmanager_reload_authorized_count": 0,
"auto_block_authorized_count": 0,
"blocked_action_count": 103,
"c0_control_candidate_count": 12,
"c0_control_domain_count": 12,
"c1_control_candidate_count": 8,
"c1_control_domain_count": 4,
"control_candidate_count": 20,
"control_domain_count": 16,
"coverage_percent_after_soc_integration_control": 78,
"forensic_evidence_accepted_count": 0,
"incident_case_accepted_count": 0,
"incident_lifecycle_stage_count": 8,
"kali_active_scan_authorized_count": 0,
"kali_execute_authorized_count": 0,
"kali_finding_envelope_accepted_count": 0,
"kali_scope_ref_accepted_count": 0,
"maturity_stage_count": 7,
"monitoring_alerting_observability_coverage_percent_after_soc_control": 78,
"operating_role_count": 9,
"outcome_lane_count": 14,
"owner_response_accepted_count": 0,
"owner_response_received_count": 0,
"p0_control_candidate_count": 12,
"p1_control_candidate_count": 8,
"prometheus_reload_authorized_count": 0,
"required_owner_field_count": 42,
"reviewer_check_count": 36,
"runtime_gate_count": 0,
"security_evidence_tooling_coverage_percent_after_soc_control": 88,
"siem_correlation_rule_accepted_count": 0,
"signal_source_count": 12,
"soar_case_create_authorized_count": 0,
"standard_framework_count": 14,
"telegram_send_authorized_count": 0,
"validation_gate_count": 18,
"wazuh_event_ref_received_count": 0
},
"validation_gates": [
{
"accepted": false,
"gate_id": "asset_owner_mapping_verified",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "source_to_live_diff_available",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "redacted_evidence_refs_present",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "raw_payload_absence_attested",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "secret_value_absence_attested",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "wazuh_manager_registry_truth_received",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "kali_scope_and_finding_envelope_accepted",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "alert_route_receipt_available",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "incident_case_id_present",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "severity_confidence_mapping_reviewed",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "forensic_time_window_present",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "chain_of_custody_present",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "kev_or_cve_prioritization_done",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "rollback_owner_present",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "maintenance_window_present",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "postcheck_metrics_present",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "cross_project_sync_recorded",
"runtime_gate_open": false
},
{
"accepted": false,
"gate_id": "production_desktop_mobile_smoke_passed",
"runtime_gate_open": false
}
]
}