Some checks failed
Code Review / ai-code-review (push) Successful in 14s
CD Pipeline / tests (push) Successful in 1m41s
CD Pipeline / build-and-deploy (push) Successful in 4m34s
CD Pipeline / post-deploy-checks (push) Successful in 1m43s
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
1209 lines
36 KiB
JSON
1209 lines
36 KiB
JSON
{
|
||
"blocked_actions": [
|
||
"call_wazuh_api_live",
|
||
"enable_wazuh_active_response",
|
||
"install_wazuh_agent",
|
||
"restart_wazuh_agent",
|
||
"change_wazuh_rule",
|
||
"change_wazuh_decoder",
|
||
"store_raw_wazuh_payload",
|
||
"read_wazuh_password",
|
||
"disable_wazuh_tls_verification",
|
||
"call_kali_scan",
|
||
"call_kali_execute",
|
||
"run_kali_active_scan",
|
||
"run_kali_credentialed_scan",
|
||
"run_nmap_scan",
|
||
"run_nuclei_scan",
|
||
"run_nikto_scan",
|
||
"run_trivy_scan_live",
|
||
"run_lynis_scan_live",
|
||
"update_kali_packages",
|
||
"reboot_kali_host",
|
||
"change_kali_service",
|
||
"ssh_to_host",
|
||
"sudo_action",
|
||
"read_host_live_log",
|
||
"read_host_env",
|
||
"write_host_file",
|
||
"kill_process",
|
||
"isolate_host",
|
||
"docker_restart",
|
||
"docker_compose_up",
|
||
"docker_compose_down",
|
||
"systemctl_restart",
|
||
"systemctl_stop",
|
||
"systemctl_start",
|
||
"nginx_test",
|
||
"nginx_reload",
|
||
"nginx_conf_write",
|
||
"certbot_renew",
|
||
"dns_change",
|
||
"route_change",
|
||
"upstream_change",
|
||
"firewall_drop",
|
||
"firewall_allow",
|
||
"port_close",
|
||
"port_open",
|
||
"wireguard_change",
|
||
"nodeport_change",
|
||
"network_policy_apply",
|
||
"argocd_sync",
|
||
"kubectl_apply",
|
||
"kubectl_delete",
|
||
"helm_upgrade",
|
||
"rbac_change",
|
||
"k8s_secret_change",
|
||
"prometheus_reload",
|
||
"alertmanager_reload",
|
||
"grafana_dashboard_apply",
|
||
"signoz_rule_apply",
|
||
"sentry_config_change",
|
||
"langfuse_config_change",
|
||
"otel_collector_reload",
|
||
"receiver_route_change",
|
||
"silence_policy_change",
|
||
"telegram_send",
|
||
"notification_route_change",
|
||
"webhook_receiver_change",
|
||
"remote_write_change",
|
||
"exporter_deploy",
|
||
"live_alert_fire",
|
||
"alert_chain_smoke_live",
|
||
"create_soar_case_live",
|
||
"run_soar_playbook",
|
||
"auto_block_ip",
|
||
"auto_quarantine_endpoint",
|
||
"auto_rotate_secret",
|
||
"workflow_modification",
|
||
"gitea_action_dispatch",
|
||
"runner_config_change",
|
||
"deploy_key_change",
|
||
"webhook_change",
|
||
"repo_secret_change",
|
||
"secret_store_read",
|
||
"collect_password",
|
||
"collect_private_key",
|
||
"collect_runner_token",
|
||
"collect_webhook_secret",
|
||
"collect_cookie_or_session",
|
||
"collect_secret_hash",
|
||
"collect_partial_token",
|
||
"store_raw_packet",
|
||
"store_raw_log",
|
||
"store_unredacted_screenshot",
|
||
"database_migration",
|
||
"production_write",
|
||
"open_runtime_gate",
|
||
"add_action_button",
|
||
"force_push",
|
||
"sync_git_refs",
|
||
"switch_github_primary",
|
||
"change_codeowners",
|
||
"change_branch_protection",
|
||
"change_cors",
|
||
"disable_rate_limit"
|
||
],
|
||
"control_candidates": [
|
||
{
|
||
"control_id": "SOC-P0-01",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "資產與 owner 對應表先完整"
|
||
},
|
||
{
|
||
"control_id": "SOC-P0-02",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "Wazuh agent / manager / indexer / dashboard health ref 收件"
|
||
},
|
||
{
|
||
"control_id": "SOC-P0-03",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "Host auth / process / network / FIM 訊號正規化"
|
||
},
|
||
{
|
||
"control_id": "SOC-P0-04",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "Kali 112 health / tool version / scope approval 串接"
|
||
},
|
||
{
|
||
"control_id": "SOC-P0-05",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "Kali finding 只接脫敏 envelope,不接 raw output"
|
||
},
|
||
{
|
||
"control_id": "SOC-P0-06",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "Prometheus / Alertmanager / Telegram 告警鏈 no-false-green"
|
||
},
|
||
{
|
||
"control_id": "SOC-P0-07",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "Sentry / SigNoz 與主機入侵線索關聯"
|
||
},
|
||
{
|
||
"control_id": "SOC-P0-08",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "Nginx / firewall / route / TLS / gateway drift 關聯到 SIEM"
|
||
},
|
||
{
|
||
"control_id": "SOC-P0-09",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "Gitea / runner / workflow / secret metadata 供應鏈關聯"
|
||
},
|
||
{
|
||
"control_id": "SOC-P0-10",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "CISA KEV / CVE / package / image 風險排序"
|
||
},
|
||
{
|
||
"control_id": "SOC-P0-11",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "Incident case / owner response / escalation queue"
|
||
},
|
||
{
|
||
"control_id": "SOC-P0-12",
|
||
"control_tier": "C0",
|
||
"owner_response_required": true,
|
||
"priority": "P0",
|
||
"runtime_gate_open": false,
|
||
"title": "鑑識證據、chain of custody、redaction 與保存期"
|
||
},
|
||
{
|
||
"control_id": "SOC-P1-13",
|
||
"control_tier": "C1",
|
||
"owner_response_required": true,
|
||
"priority": "P1",
|
||
"runtime_gate_open": false,
|
||
"title": "Suricata / NDR passive telemetry lane"
|
||
},
|
||
{
|
||
"control_id": "SOC-P1-14",
|
||
"control_tier": "C1",
|
||
"owner_response_required": true,
|
||
"priority": "P1",
|
||
"runtime_gate_open": false,
|
||
"title": "Web / API appsec logging 與 OWASP ASVS 驗證"
|
||
},
|
||
{
|
||
"control_id": "SOC-P1-15",
|
||
"control_tier": "C1",
|
||
"owner_response_required": true,
|
||
"priority": "P1",
|
||
"runtime_gate_open": false,
|
||
"title": "Backup / restore / DR recovery proof 串回 incident"
|
||
},
|
||
{
|
||
"control_id": "SOC-P1-16",
|
||
"control_tier": "C1",
|
||
"owner_response_required": true,
|
||
"priority": "P1",
|
||
"runtime_gate_open": false,
|
||
"title": "SOC KPI / dashboard / LOGBOOK / executive reporting"
|
||
},
|
||
{
|
||
"control_id": "SOC-P1-17",
|
||
"control_tier": "C1",
|
||
"owner_response_required": true,
|
||
"priority": "P1",
|
||
"runtime_gate_open": false,
|
||
"title": "SOAR draft / case automation 只建立候選,不自動封鎖"
|
||
},
|
||
{
|
||
"control_id": "SOC-P1-18",
|
||
"control_tier": "C1",
|
||
"owner_response_required": true,
|
||
"priority": "P1",
|
||
"runtime_gate_open": false,
|
||
"title": "Wazuh active response dry-run 與 rollback gate"
|
||
},
|
||
{
|
||
"control_id": "SOC-P1-19",
|
||
"control_tier": "C1",
|
||
"owner_response_required": true,
|
||
"priority": "P1",
|
||
"runtime_gate_open": false,
|
||
"title": "Kali active / credentialed scan approval package"
|
||
},
|
||
{
|
||
"control_id": "SOC-P1-20",
|
||
"control_tier": "C1",
|
||
"owner_response_required": true,
|
||
"priority": "P1",
|
||
"runtime_gate_open": false,
|
||
"title": "NDR / IPS / firewall containment promotion criteria"
|
||
}
|
||
],
|
||
"control_domains": [
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "asset_inventory_owner",
|
||
"label": "資產 / owner / attack surface inventory",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "endpoint_log_collection",
|
||
"label": "Endpoint / host / auth / process log collection",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "fim_persistence_detection",
|
||
"label": "FIM / persistence / malware signal",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "vulnerability_kev_prioritization",
|
||
"label": "CVE / KEV / package / image prioritization",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "network_detection_response",
|
||
"label": "NDR / IDS / firewall / WireGuard / NodePort evidence",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "wazuh_siem_correlation",
|
||
"label": "Wazuh SIEM correlation / rule / decoder readback",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "kali_assessment_orchestration",
|
||
"label": "Kali 112 scanner health / scope / finding normalization",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "alert_routing_noise_budget",
|
||
"label": "Alert routing / dedup / inhibit / noise budget",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "incident_case_management",
|
||
"label": "Incident / case / owner response / escalation",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "forensic_evidence_retention",
|
||
"label": "Forensic evidence retention / redaction / chain of custody",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "config_drift_control",
|
||
"label": "Nginx / host / K8s / runner / workflow config drift",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C0",
|
||
"domain_id": "supply_chain_ci_cd",
|
||
"label": "Gitea / runner / workflow / Harbor / SBOM / image evidence",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C1",
|
||
"domain_id": "identity_secret_access",
|
||
"label": "IAM / SSH / sudo / secret / token exposure control",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C1",
|
||
"domain_id": "web_api_appsec_logging",
|
||
"label": "Web / API appsec logging / auth / rate-limit / headers",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C1",
|
||
"domain_id": "backup_recovery_dr",
|
||
"label": "Backup / restore / escrow / DR recovery proof",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"control_tier": "C1",
|
||
"domain_id": "executive_reporting_metrics",
|
||
"label": "Dashboard / KPI / LOGBOOK / no-false-green reporting",
|
||
"owner_response_required": true,
|
||
"runtime_gate_open": false
|
||
}
|
||
],
|
||
"execution_boundaries": {
|
||
"action_buttons_allowed": false,
|
||
"active_scan_authorized": false,
|
||
"alertmanager_reload_authorized": false,
|
||
"auto_block_authorized": false,
|
||
"credentialed_scan_authorized": false,
|
||
"firewall_change_authorized": false,
|
||
"host_write_authorized": false,
|
||
"kali_execute_authorized": false,
|
||
"kali_scan_authorized": false,
|
||
"nginx_reload_authorized": false,
|
||
"not_authorization": true,
|
||
"production_write_authorized": false,
|
||
"prometheus_reload_authorized": false,
|
||
"raw_payload_storage_allowed": false,
|
||
"runtime_execution_authorized": false,
|
||
"runtime_gate_open": false,
|
||
"secret_value_collection_allowed": false,
|
||
"soar_case_create_authorized": false,
|
||
"ssh_write_authorized": false,
|
||
"telegram_send_authorized": false,
|
||
"wazuh_active_response_authorized": false,
|
||
"wazuh_api_live_query_authorized": false
|
||
},
|
||
"generated_at": "2026-06-25T16:20:00+08:00",
|
||
"git_commit": "c07fefbe",
|
||
"incident_lifecycle_stages": [
|
||
{
|
||
"control_intent": "資產、owner、控制域、例外、權限與證據模板先就緒。",
|
||
"label": "準備與治理",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "prepare_govern"
|
||
},
|
||
{
|
||
"control_intent": "Wazuh、Alertmanager、SigNoz、Sentry、Nginx、K8s、Gitea 訊號統一成脫敏事件。",
|
||
"label": "偵測與正規化",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "detect_normalize"
|
||
},
|
||
{
|
||
"control_intent": "用 severity、confidence、KEV、ATT&CK、asset criticality 與 noise budget 排序。",
|
||
"label": "分流與排序",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "triage_prioritize"
|
||
},
|
||
{
|
||
"control_intent": "串 Wazuh event、Kali scope、host forensic、gateway diff、supply-chain 與 timeline refs。",
|
||
"label": "調查與關聯",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "investigate_correlate"
|
||
},
|
||
{
|
||
"control_intent": "只產生 containment 候選;無 owner、rollback、maintenance window 不得執行。",
|
||
"label": "圍堵決策",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "containment_decision"
|
||
},
|
||
{
|
||
"control_intent": "清除、修補、還原與服務恢復都必須有 postcheck 與 no-false-green 證據。",
|
||
"label": "清除與復原",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "eradicate_recover"
|
||
},
|
||
{
|
||
"control_intent": "回寫 detection gap、false positive、playbook、owner SLA、LOGBOOK 與風險例外。",
|
||
"label": "事後學習",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "post_incident_learning"
|
||
},
|
||
{
|
||
"control_intent": "用 KPI、演練、tabletop、purple-team 與 evidence aging 收斂下一輪優先序。",
|
||
"label": "持續改善",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "continuous_improvement"
|
||
}
|
||
],
|
||
"maturity_stages": [
|
||
{
|
||
"entry_criteria": "工具與文件分散,不能宣稱 SOC 形成。",
|
||
"label": "分散觀測",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "L0"
|
||
},
|
||
{
|
||
"entry_criteria": "repo / snapshot / guard / frontstage marker 可重跑,runtime 維持 0。",
|
||
"label": "只讀證據",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "L1"
|
||
},
|
||
{
|
||
"entry_criteria": "owner、scope、evidence refs、rollback、postcheck 與 redaction 證明可驗收。",
|
||
"label": "Owner Packet",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "L2"
|
||
},
|
||
{
|
||
"entry_criteria": "在獨立批准後接只讀 live metadata,仍不執行 response。",
|
||
"label": "Live Metadata 只讀",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "L3"
|
||
},
|
||
{
|
||
"entry_criteria": "SOAR / active response / scan 只跑 dry-run、blast radius 與 rollback 演練。",
|
||
"label": "Dry-run Automation",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "L4"
|
||
},
|
||
{
|
||
"entry_criteria": "人工批准、維護窗口與 postcheck 完成後,才允許可回滾 response。",
|
||
"label": "Human-approved Response",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "L5"
|
||
},
|
||
{
|
||
"entry_criteria": "僅低風險、可回滾、已演練、有 receipt 的動作可逐步自動化。",
|
||
"label": "Governed Low-risk Autonomy",
|
||
"runtime_gate_open": false,
|
||
"stage_id": "L6"
|
||
}
|
||
],
|
||
"operating_roles": [
|
||
{
|
||
"label": "IwoooS 控制負責人",
|
||
"responsibility": "維護控制域、例外、進度口徑與 LOGBOOK;不能直接開 runtime。",
|
||
"role_id": "iwooos_control_owner",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"label": "SOC 審查人",
|
||
"responsibility": "審查 Wazuh / Kali / alert / forensic refs 是否脫敏、可交叉驗證。",
|
||
"role_id": "soc_reviewer",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"label": "事故指揮",
|
||
"responsibility": "在 incident case 中確認 severity、scope、containment 候選與升級路線。",
|
||
"role_id": "incident_commander",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"label": "平台負責人",
|
||
"responsibility": "負責 Nginx、K8s、Docker、systemd、runner 與 release impact 判讀。",
|
||
"role_id": "platform_owner",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"label": "服務負責人",
|
||
"responsibility": "負責產品 / API / website / webhook 的影響範圍、驗證與回復責任。",
|
||
"role_id": "service_owner",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"label": "證據保管人",
|
||
"responsibility": "維護 redacted evidence refs、chain of custody、retention 與 raw absence 證明。",
|
||
"role_id": "evidence_custodian",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"label": "變更管理人",
|
||
"responsibility": "確認維護窗口、rollback owner、postcheck 與跨專案同步。",
|
||
"role_id": "change_manager",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"label": "AI 安全審查人",
|
||
"responsibility": "審核 AI agent tool 權限、prompt redaction、過度代理與成本邊界。",
|
||
"role_id": "ai_security_reviewer",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"label": "風險負責人",
|
||
"responsibility": "接受風險、例外期限、治理報告與資源優先序。",
|
||
"role_id": "executive_risk_owner",
|
||
"runtime_gate_open": false
|
||
}
|
||
],
|
||
"outcome_lanes": [
|
||
{
|
||
"lane_id": "waiting_soc_owner_packet",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "request_wazuh_event_supplement",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "request_kali_scope_supplement",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "request_host_forensic_supplement",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "request_alert_chain_supplement",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "request_gateway_diff_supplement",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "request_supply_chain_supplement",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "request_kev_cve_supplement",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "quarantine_secret_or_raw_payload",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "reject_claim_without_cross_evidence",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "ready_for_soc_reviewer_review",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "waiting_runtime_authorization",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "blocked_no_rollback_or_postcheck",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"lane_id": "route_to_high_value_config_gate",
|
||
"runtime_gate_open": false
|
||
}
|
||
],
|
||
"required_owner_fields": [
|
||
"control_id",
|
||
"owner_role",
|
||
"owner_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope_aliases",
|
||
"asset_owner_map_ref",
|
||
"signal_source_refs",
|
||
"wazuh_manager_ref",
|
||
"wazuh_agent_status_refs",
|
||
"wazuh_event_refs",
|
||
"kali_scope_ref",
|
||
"kali_health_ref",
|
||
"kali_finding_envelope_ref",
|
||
"prometheus_alert_ref",
|
||
"alertmanager_route_ref",
|
||
"signoz_trace_ref",
|
||
"sentry_issue_ref",
|
||
"host_forensic_refs",
|
||
"fim_or_persistence_refs",
|
||
"network_detection_refs",
|
||
"gateway_config_diff_refs",
|
||
"runner_workflow_refs",
|
||
"container_sbom_refs",
|
||
"kev_or_cve_refs",
|
||
"incident_case_ref",
|
||
"severity_mapping_ref",
|
||
"confidence_mapping_ref",
|
||
"noise_budget_ref",
|
||
"dedupe_fingerprint_ref",
|
||
"redacted_evidence_refs",
|
||
"raw_payload_absence_attestation",
|
||
"secret_value_absence_attestation",
|
||
"chain_of_custody_ref",
|
||
"retention_policy_ref",
|
||
"maintenance_window",
|
||
"rollback_owner",
|
||
"rollback_plan_ref",
|
||
"validation_metrics",
|
||
"postcheck_owner",
|
||
"cross_project_sync_ref",
|
||
"followup_owner"
|
||
],
|
||
"reviewer_checks": [
|
||
{
|
||
"check_id": "soc_review_01",
|
||
"instruction": "owner role / team 必填"
|
||
},
|
||
{
|
||
"check_id": "soc_review_02",
|
||
"instruction": "asset alias 必須脫敏"
|
||
},
|
||
{
|
||
"check_id": "soc_review_03",
|
||
"instruction": "Wazuh event ref 不得是 raw payload"
|
||
},
|
||
{
|
||
"check_id": "soc_review_04",
|
||
"instruction": "Kali finding 只能接 normalized envelope"
|
||
},
|
||
{
|
||
"check_id": "soc_review_05",
|
||
"instruction": "Kali active scan 必須獨立批准"
|
||
},
|
||
{
|
||
"check_id": "soc_review_06",
|
||
"instruction": "Kali /execute 必須維持封鎖"
|
||
},
|
||
{
|
||
"check_id": "soc_review_07",
|
||
"instruction": "Prometheus / Alertmanager reload 未授權"
|
||
},
|
||
{
|
||
"check_id": "soc_review_08",
|
||
"instruction": "Telegram 實發未授權"
|
||
},
|
||
{
|
||
"check_id": "soc_review_09",
|
||
"instruction": "Sentry / SigNoz 只能作關聯證據"
|
||
},
|
||
{
|
||
"check_id": "soc_review_10",
|
||
"instruction": "route 200 不得當資安通過"
|
||
},
|
||
{
|
||
"check_id": "soc_review_11",
|
||
"instruction": "agent active 不得當入侵清除"
|
||
},
|
||
{
|
||
"check_id": "soc_review_12",
|
||
"instruction": "dashboard up 不得當事件結案"
|
||
},
|
||
{
|
||
"check_id": "soc_review_13",
|
||
"instruction": "host forensic refs 必須含時間窗"
|
||
},
|
||
{
|
||
"check_id": "soc_review_14",
|
||
"instruction": "FIM / persistence refs 必須標示來源"
|
||
},
|
||
{
|
||
"check_id": "soc_review_15",
|
||
"instruction": "network detection refs 不得含 raw packet payload"
|
||
},
|
||
{
|
||
"check_id": "soc_review_16",
|
||
"instruction": "secret value / hash / partial token 一律拒收"
|
||
},
|
||
{
|
||
"check_id": "soc_review_17",
|
||
"instruction": "runner / workflow / deploy key 只收 metadata"
|
||
},
|
||
{
|
||
"check_id": "soc_review_18",
|
||
"instruction": "CVE / KEV 必須有 owner 與 SLA"
|
||
},
|
||
{
|
||
"check_id": "soc_review_19",
|
||
"instruction": "false positive handling 必須可追蹤"
|
||
},
|
||
{
|
||
"check_id": "soc_review_20",
|
||
"instruction": "dedupe fingerprint 必須穩定"
|
||
},
|
||
{
|
||
"check_id": "soc_review_21",
|
||
"instruction": "noise budget 必須列收斂策略"
|
||
},
|
||
{
|
||
"check_id": "soc_review_22",
|
||
"instruction": "case escalation 必須有 owner"
|
||
},
|
||
{
|
||
"check_id": "soc_review_23",
|
||
"instruction": "maintenance window 必須存在"
|
||
},
|
||
{
|
||
"check_id": "soc_review_24",
|
||
"instruction": "rollback owner 必須存在"
|
||
},
|
||
{
|
||
"check_id": "soc_review_25",
|
||
"instruction": "postcheck 必須獨立"
|
||
},
|
||
{
|
||
"check_id": "soc_review_26",
|
||
"instruction": "cross-project sync 必須存在"
|
||
},
|
||
{
|
||
"check_id": "soc_review_27",
|
||
"instruction": "LOGBOOK 更新不能含內部逐字稿"
|
||
},
|
||
{
|
||
"check_id": "soc_review_28",
|
||
"instruction": "前台不得顯示個人 namespace 原文"
|
||
},
|
||
{
|
||
"check_id": "soc_review_29",
|
||
"instruction": "SOAR 只能 draft 不得 auto block"
|
||
},
|
||
{
|
||
"check_id": "soc_review_30",
|
||
"instruction": "active response 先 dry-run"
|
||
},
|
||
{
|
||
"check_id": "soc_review_31",
|
||
"instruction": "NDR / IPS 不能直接進 blocking"
|
||
},
|
||
{
|
||
"check_id": "soc_review_32",
|
||
"instruction": "firewall containment 必須 break-glass 或維護窗口"
|
||
},
|
||
{
|
||
"check_id": "soc_review_33",
|
||
"instruction": "package patch 需維護窗口"
|
||
},
|
||
{
|
||
"check_id": "soc_review_34",
|
||
"instruction": "backup / restore proof 不能用備份存在代替"
|
||
},
|
||
{
|
||
"check_id": "soc_review_35",
|
||
"instruction": "all accepted / authorized / executed counters 必須維持 0"
|
||
},
|
||
{
|
||
"check_id": "soc_review_36",
|
||
"instruction": "runtime gate 必須維持 0"
|
||
}
|
||
],
|
||
"schema_version": "soc_siem_kali_wazuh_integration_control_v1",
|
||
"signal_sources": [
|
||
{
|
||
"label": "Wazuh endpoint / agent / FIM alerts",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "wazuh_endpoint_alerts"
|
||
},
|
||
{
|
||
"label": "Kali 112 health / scope / normalized findings",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "kali_112_health_findings"
|
||
},
|
||
{
|
||
"label": "Prometheus / Alertmanager rules and delivery chain",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "prometheus_alertmanager"
|
||
},
|
||
{
|
||
"label": "SigNoz traces / metrics / errors",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "signoz_apm_traces"
|
||
},
|
||
{
|
||
"label": "Sentry application and frontend errors",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "sentry_application_errors"
|
||
},
|
||
{
|
||
"label": "Nginx / gateway / TLS / ACME / upstream evidence",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "nginx_gateway_tls"
|
||
},
|
||
{
|
||
"label": "Host auth / process / network / package evidence",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "host_auth_process_network"
|
||
},
|
||
{
|
||
"label": "Docker / systemd / process / port binding evidence",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "docker_systemd_runtime"
|
||
},
|
||
{
|
||
"label": "K8s / ArgoCD / RBAC / NetworkPolicy evidence",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "k8s_argocd_gitops"
|
||
},
|
||
{
|
||
"label": "Gitea / runner / workflow / deploy key evidence",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "gitea_runner_workflow"
|
||
},
|
||
{
|
||
"label": "Harbor / registry / container image / SBOM evidence",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "harbor_container_sbom"
|
||
},
|
||
{
|
||
"label": "Backup / restore / offsite / escrow / cold-start evidence",
|
||
"live_query_authorized": false,
|
||
"redacted_evidence_only": true,
|
||
"source_id": "backup_restore_dr"
|
||
}
|
||
],
|
||
"standard_frameworks": [
|
||
{
|
||
"framework_id": "nist_csf_2_0",
|
||
"integration_intent": "將資安監控與回應放進治理、辨識、防護、偵測、回應與復原閉環。",
|
||
"label": "NIST CSF 2.0",
|
||
"mapped_functions": [
|
||
"Govern",
|
||
"Identify",
|
||
"Protect",
|
||
"Detect",
|
||
"Respond",
|
||
"Recover"
|
||
],
|
||
"source_url": "https://www.nist.gov/cyberframework"
|
||
},
|
||
{
|
||
"framework_id": "nist_sp_800_61_r3",
|
||
"integration_intent": "將事件處理生命週期轉成 IwoooS case gate、postcheck 與 lesson learned 回寫。",
|
||
"label": "NIST SP 800-61 Rev. 3",
|
||
"mapped_functions": [
|
||
"Prepare",
|
||
"Detect",
|
||
"Analyze",
|
||
"Respond",
|
||
"Recover",
|
||
"Improve"
|
||
],
|
||
"source_url": "https://csrc.nist.gov/pubs/sp/800/61/r3/final"
|
||
},
|
||
{
|
||
"framework_id": "cis_controls_v8_1",
|
||
"integration_intent": "把資產、弱點、稽核日誌、惡意程式防護、復原與權限審查納入 IwoooS。",
|
||
"label": "CIS Controls v8.1",
|
||
"mapped_functions": [
|
||
"Inventory",
|
||
"Vulnerability",
|
||
"Audit Log",
|
||
"Malware",
|
||
"Recovery",
|
||
"Access"
|
||
],
|
||
"source_url": "https://www.cisecurity.org/controls/v8"
|
||
},
|
||
{
|
||
"framework_id": "cisa_zero_trust_maturity_model",
|
||
"integration_intent": "以 identity、device、network、application、data 與 visibility / automation 作為零信任成熟度對照。",
|
||
"label": "CISA Zero Trust Maturity Model",
|
||
"mapped_functions": [
|
||
"Identity",
|
||
"Devices",
|
||
"Networks",
|
||
"Applications",
|
||
"Data",
|
||
"Visibility"
|
||
],
|
||
"source_url": "https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model"
|
||
},
|
||
{
|
||
"framework_id": "cisa_kev_prioritization",
|
||
"integration_intent": "以已知遭利用漏洞作為漏洞修補與維護窗口排序依據。",
|
||
"label": "CISA KEV 優先化",
|
||
"mapped_functions": [
|
||
"Known exploited vulnerability",
|
||
"Patch priority",
|
||
"Owner SLA"
|
||
],
|
||
"source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
|
||
},
|
||
{
|
||
"framework_id": "mitre_attack_d3fend",
|
||
"integration_intent": "以 ATT&CK 描述攻擊行為與資料源,再用 D3FEND 對應防禦與驗證缺口。",
|
||
"label": "MITRE ATT&CK / D3FEND",
|
||
"mapped_functions": [
|
||
"Tactic",
|
||
"Technique",
|
||
"Data source",
|
||
"Detection",
|
||
"Mitigation",
|
||
"Countermeasure"
|
||
],
|
||
"source_url": "https://attack.mitre.org/"
|
||
},
|
||
{
|
||
"framework_id": "owasp_asvs_samm",
|
||
"integration_intent": "把應用層安全驗證、secure SDLC 與 API / auth / logging 控制納入 IwoooS。",
|
||
"label": "OWASP ASVS / SAMM",
|
||
"mapped_functions": [
|
||
"Security requirement",
|
||
"Verification",
|
||
"Secure SDLC",
|
||
"Logging",
|
||
"Access control"
|
||
],
|
||
"source_url": "https://owasp.org/www-project-application-security-verification-standard/"
|
||
},
|
||
{
|
||
"framework_id": "wazuh_xdr_siem",
|
||
"integration_intent": "將 endpoint / host 訊號、檔案完整性、事件規則與 response 邊界納入 IwoooS。",
|
||
"label": "Wazuh XDR / SIEM",
|
||
"mapped_functions": [
|
||
"Agent telemetry",
|
||
"FIM",
|
||
"Rule",
|
||
"Decoder",
|
||
"Alert",
|
||
"Active response dry-run"
|
||
],
|
||
"source_url": "https://documentation.wazuh.com/current/index.html"
|
||
},
|
||
{
|
||
"framework_id": "wazuh_active_response_model",
|
||
"integration_intent": "只採用 active response 的能力模型;IwoooS 目前只做 dry-run 與 rollback gate,不啟用 response。",
|
||
"label": "Wazuh Active Response",
|
||
"mapped_functions": [
|
||
"Trigger",
|
||
"Command",
|
||
"Scope",
|
||
"Timeout",
|
||
"Rollback",
|
||
"Dry-run gate"
|
||
],
|
||
"source_url": "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html"
|
||
},
|
||
{
|
||
"framework_id": "prometheus_alertmanager",
|
||
"integration_intent": "把告警分組、去重、路由、抑制與 receipt 驗收納入 no-false-green 告警鏈。",
|
||
"label": "Prometheus Alertmanager",
|
||
"mapped_functions": [
|
||
"Grouping",
|
||
"Deduplication",
|
||
"Routing",
|
||
"Silencing",
|
||
"Inhibition",
|
||
"Receipt"
|
||
],
|
||
"source_url": "https://prometheus.io/docs/alerting/latest/alertmanager/"
|
||
},
|
||
{
|
||
"framework_id": "opentelemetry_observability",
|
||
"integration_intent": "以 vendor-neutral telemetry 口徑把 traces、metrics、logs 與 resource 關聯到事件證據。",
|
||
"label": "OpenTelemetry observability",
|
||
"mapped_functions": [
|
||
"Trace",
|
||
"Metric",
|
||
"Log",
|
||
"Resource",
|
||
"Correlation",
|
||
"Semantic convention"
|
||
],
|
||
"source_url": "https://opentelemetry.io/docs/what-is-opentelemetry/"
|
||
},
|
||
{
|
||
"framework_id": "slsa_sigstore_sbom",
|
||
"integration_intent": "把 build provenance、artifact integrity、SBOM 與簽章驗證轉成供應鏈 evidence lane。",
|
||
"label": "SLSA / Sigstore / SBOM",
|
||
"mapped_functions": [
|
||
"Provenance",
|
||
"Build integrity",
|
||
"Artifact signing",
|
||
"SBOM",
|
||
"Verification"
|
||
],
|
||
"source_url": "https://slsa.dev/"
|
||
},
|
||
{
|
||
"framework_id": "ndr_ids_suricata_zeek",
|
||
"integration_intent": "將網路偵測與封包層線索納入未來 NDR lane;IPS 仍需獨立批准。",
|
||
"label": "Suricata / Zeek NDR",
|
||
"mapped_functions": [
|
||
"Network detection",
|
||
"Passive telemetry",
|
||
"Rule hit",
|
||
"Flow",
|
||
"Future IPS gate"
|
||
],
|
||
"source_url": "https://suricata.io/"
|
||
},
|
||
{
|
||
"framework_id": "kali_assessment_tooling",
|
||
"integration_intent": "Kali 112 作為安全驗證與工具節點,先接只讀 health / scope / finding contract。",
|
||
"label": "Kali assessment tooling",
|
||
"mapped_functions": [
|
||
"Health",
|
||
"Scope",
|
||
"Safe crawl",
|
||
"Tool version",
|
||
"Finding normalization"
|
||
],
|
||
"source_url": "https://www.kali.org/docs/"
|
||
}
|
||
],
|
||
"status": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action",
|
||
"summary": {
|
||
"action_button_count": 0,
|
||
"active_response_enabled_count": 0,
|
||
"alert_route_accepted_count": 0,
|
||
"alertmanager_reload_authorized_count": 0,
|
||
"auto_block_authorized_count": 0,
|
||
"blocked_action_count": 103,
|
||
"c0_control_candidate_count": 12,
|
||
"c0_control_domain_count": 12,
|
||
"c1_control_candidate_count": 8,
|
||
"c1_control_domain_count": 4,
|
||
"control_candidate_count": 20,
|
||
"control_domain_count": 16,
|
||
"coverage_percent_after_soc_integration_control": 78,
|
||
"forensic_evidence_accepted_count": 0,
|
||
"incident_case_accepted_count": 0,
|
||
"incident_lifecycle_stage_count": 8,
|
||
"kali_active_scan_authorized_count": 0,
|
||
"kali_execute_authorized_count": 0,
|
||
"kali_finding_envelope_accepted_count": 0,
|
||
"kali_scope_ref_accepted_count": 0,
|
||
"maturity_stage_count": 7,
|
||
"monitoring_alerting_observability_coverage_percent_after_soc_control": 78,
|
||
"operating_role_count": 9,
|
||
"outcome_lane_count": 14,
|
||
"owner_response_accepted_count": 0,
|
||
"owner_response_received_count": 0,
|
||
"p0_control_candidate_count": 12,
|
||
"p1_control_candidate_count": 8,
|
||
"prometheus_reload_authorized_count": 0,
|
||
"required_owner_field_count": 42,
|
||
"reviewer_check_count": 36,
|
||
"runtime_gate_count": 0,
|
||
"security_evidence_tooling_coverage_percent_after_soc_control": 88,
|
||
"siem_correlation_rule_accepted_count": 0,
|
||
"signal_source_count": 12,
|
||
"soar_case_create_authorized_count": 0,
|
||
"standard_framework_count": 14,
|
||
"telegram_send_authorized_count": 0,
|
||
"validation_gate_count": 18,
|
||
"wazuh_event_ref_received_count": 0
|
||
},
|
||
"validation_gates": [
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "asset_owner_mapping_verified",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "source_to_live_diff_available",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "redacted_evidence_refs_present",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "raw_payload_absence_attested",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "secret_value_absence_attested",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "wazuh_manager_registry_truth_received",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "kali_scope_and_finding_envelope_accepted",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "alert_route_receipt_available",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "incident_case_id_present",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "severity_confidence_mapping_reviewed",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "forensic_time_window_present",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "chain_of_custody_present",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "kev_or_cve_prioritization_done",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "rollback_owner_present",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "maintenance_window_present",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "postcheck_metrics_present",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "cross_project_sync_recorded",
|
||
"runtime_gate_open": false
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"gate_id": "production_desktop_mobile_smoke_passed",
|
||
"runtime_gate_open": false
|
||
}
|
||
]
|
||
}
|