Skip to content

Concept Shippable Response Plans #3803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
xqi-splunk wants to merge 23 commits into
base: develop
Choose a base branch
from
+4,954 −1
Open

Concept Shippable Response Plans #3803

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
78d8366
Create response_plan directory
xqi-splunk Nov 4, 2025
2e9fe65
Update directory name
xqi-splunk Nov 4, 2025
966743c
Copy response_templates artifacts to dist/api
xqi-splunk Nov 19, 2025
a08707e
Add response-templates schema validation workflow
xqi-splunk Nov 19, 2025
59628d8
Add feature branch for testing purpose
xqi-splunk Nov 19, 2025
2714f82
Update endpoint to playground
xqi-splunk Nov 19, 2025
b79b51d
Revert back debug changes
xqi-splunk Nov 24, 2025
9501dff
Move scripts to workflows
xqi-splunk Nov 25, 2025
8473296
Remove manual check in
xqi-splunk Nov 25, 2025
a9c4030
Add sorting for version and template name
xqi-splunk Nov 25, 2025
09aae74
Raise exception when file name not match
xqi-splunk Nov 25, 2025
dc9cbfc
Add indentation for json output
xqi-splunk Nov 25, 2025
49f1700
Add debug option to dump json schema
xqi-splunk Nov 25, 2025
ded2ba5
Generate merged templates at runtime
xqi-splunk Nov 25, 2025
79f635f
Rename openAPI spec yaml to yml
xqi-splunk Nov 25, 2025
13b27d3
Move validation to build.yml
xqi-splunk Nov 25, 2025
a8e754a
Use stem to get file name
xqi-splunk Nov 25, 2025
16523ab
Fix python package install
xqi-splunk Nov 25, 2025
0db44fc
Update version sorting using int
xqi-splunk Nov 25, 2025
9cc8381
Update openAPI spec for version
xqi-splunk Nov 26, 2025
77f60a0
Move build response templates to separate workflow
xqi-splunk Dec 2, 2025
c42b590
Fix naming in build-response-templates.yml
xqi-splunk Dec 2, 2025
9e1f2d3
Merge branch 'develop' into feature/PEX-699-response-plan
pyth0n1c Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ jobs:
contentctl build --enrichments --enforce_deprecation_mapping_requirement
mkdir artifacts
mv dist/DA-ESS-ContentUpdate-latest.tar.gz artifacts/
cd response_templates
python template_script.py -d . -o ./merged_response_templates -m
cd ..
mkdir -p dist/api/response_templates
cp response_templates/merged_response_templates/* dist/api/response_templates/

- name: store_artifacts
uses: actions/upload-artifact@v5
Expand Down
36 changes: 36 additions & 0 deletions .github/workflows/validate-response-templates.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: Validate Response Templates

on:
pull_request:
types: [opened, reopened, synchronize]
paths:
- 'response_templates/**'
- '.github/workflows/validate-response-templates.yml'
push:
branches:
- develop
paths:
- 'response_templates/**'
- '.github/workflows/validate-response-templates.yml'

jobs:
validate:
runs-on: ubuntu-latest
steps:
- name: Check out the repository code
uses: actions/checkout@v5

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: '3.11'
architecture: 'x64'

- name: Install dependencies
run: |
pip install pyyaml jsonschema
- name: Validate response templates
run: |
cd response_templates
python validate_response_templates.py -s mcopenapi_public.yaml -d . -m merged_response_templates/manifest.json --merged-dir merged_response_templates
1 change: 1 addition & 0 deletions response_templates/GenericIncidentResponse_v1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"id": "5d656a90-fe91-4c8f-8460-fa2599a17f75", "create_time": 1762280887.4139671, "update_time": 1762280887.4139671, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "Splunk", "updated_by": "Splunk", "is_default": true, "version": 1, "phases": [{"id": "2d4ceaab-2ab3-4e61-8997-2eec7b612c7b", "create_time": 1762280887.4145086, "update_time": 1762280887.414509, "name": "Detection", "order": 1, "tasks": [{"id": "8c73eaa4-8928-40de-8e3b-e130efc01bb8", "create_time": 1762280887.4141092, "update_time": 1762280887.41411, "name": "Report incident response execution", "order": 1, "tag": "e8d26ce8-a004-4621-8b40-0e95acd7638b", "description": "Alert appropriate parties that incident response is starting.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "feec4f53-67ef-405d-baf4-2c8a3ca8b486", "create_time": 1762280887.414233, "update_time": 1762280887.4142334, "name": "Document associated events", "order": 2, "tag": "afb0e39b-9bfe-4d02-a090-e3b9ca2386de", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "72a39d10-2941-4451-8973-7c82d9055cff", "create_time": 1762280887.4143443, "update_time": 1762280887.4143448, "name": "Document known attack surface and attacker information", "order": 3, "tag": "46211e09-e553-4c9f-a9a8-8383fec880a5", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5ae0daa1-b86a-4a60-93a1-20c8b5d963c2", "create_time": 1762280887.4144528, "update_time": 1762280887.4144533, "name": "Assign roles", "order": 4, "tag": "e70408a7-3062-474a-aaf0-460402f16f29", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f546ee59-0988-4b55-8166-8cac2a64b76f", "create_time": 1762280887.41606, "update_time": 1762280887.4160604, "name": "Analysis", "order": 2, "tasks": [{"id": "a8acff10-07f5-49af-a103-ce864235994b", "create_time": 1762280887.414614, "update_time": 1762280887.4146142, "name": "Research intelligence resources", "order": 1, "tag": "c291654f-4616-4cde-afcb-5f7352d3fb6c", "description": "Find out if this attacker is a known agent and gather associated tactics, techniques, and procedures (TTP) used.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4d7b78f-1cd0-47c2-b0e3-40933395688a", "create_time": 1762280887.4147215, "update_time": 1762280887.414722, "name": "Research proxy logs", "order": 2, "tag": "0c56f2ef-fa23-48f6-abe8-7e42ae12716c", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c5cee5b9-2ad7-4144-aa85-d746bae679ed", "create_time": 1762280887.41483, "update_time": 1762280887.4148307, "name": "Research firewall logs", "order": 3, "tag": "60405c0a-cbbf-4034-a4ec-d4f6f467b6e0", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92f68bd6-3b7d-4a58-ad55-4b3a36369526", "create_time": 1762280887.41496, "update_time": 1762280887.4149606, "name": "Research OS logs", "order": 4, "tag": "a8939de4-a990-4adf-83c6-d93f5b378ff1", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "61816baa-fc24-4f38-a6cd-7626561b48ff", "create_time": 1762280887.4152095, "update_time": 1762280887.41521, "name": "Research network logs", "order": 5, "tag": "027f7da1-76e1-4466-be1d-4b40771de133", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4811036e-781a-4885-bf38-32729a1a0ba1", "create_time": 1762280887.4153204, "update_time": 1762280887.4153206, "name": "Research endpoint protection logs", "order": 6, "tag": "afc28267-6231-4db6-a005-accabb008c7a", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79900180-4caf-4d96-9290-968d9f5aec84", "create_time": 1762280887.4154315, "update_time": 1762280887.415432, "name": "Determine infection vector", "order": 7, "tag": "af4db0e8-d1ac-4d98-82ec-939fa5d47a0b", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "09087e70-fd26-4484-b92a-33c8728d8719", "create_time": 1762280887.415541, "update_time": 1762280887.4155414, "name": "Document all attack targets", "order": 8, "tag": "14552467-8504-4196-9c18-46c68995c590", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a9878c0-5626-4350-a0b6-cd5fef767dda", "create_time": 1762280887.4156528, "update_time": 1762280887.4156535, "name": "Document all attacker sources and TTP", "order": 9, "tag": "9a83e045-a686-423a-b80b-1c7906d8b7b0", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3986bf6d-fc23-4296-8dbe-d2b7117c9ec3", "create_time": 1762280887.4157624, "update_time": 1762280887.415763, "name": "Document infected devices", "order": 10, "tag": "5888de1b-61c8-4ea4-90d8-aeb01ec4682f", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c7044f3e-f58b-4dcb-b1f2-c595a214ff9d", "create_time": 1762280887.4158719, "update_time": 1762280887.4158723, "name": "Determine full impact of attack", "order": 11, "tag": "b0cf76ae-1c67-4737-bf00-170971be80f3", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ca532eca-d263-4af9-9391-6d35b63c3627", "create_time": 1762280887.4160035, "update_time": 1762280887.4160042, "name": "Analyze malware samples", "order": 12, "tag": "e3b989b5-df17-4324-880d-10a5ac6c441d", "description": "Analyze discovered malware and document indicators of compromise (IOCs).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9bf6f73e-a5da-49ac-87a7-a2469155cf7b", "create_time": 1762280887.4164388, "update_time": 1762280887.4164393, "name": "Containment", "order": 3, "tasks": [{"id": "8bb468b3-8ac7-4e49-86d8-ca1513550c47", "create_time": 1762280887.4161665, "update_time": 1762280887.416167, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "28d74f7a-1aaf-4f44-8245-ed62a4720046", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d512b582-b030-486a-86b0-a8e656ea4542", "create_time": 1762280887.416276, "update_time": 1762280887.4162762, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "18ed5b52-40e5-4dc7-b3c5-09c85a8a4cca", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "002fc36e-8a96-40c9-8a1d-b38d4f57b61b", "create_time": 1762280887.416384, "update_time": 1762280887.4163842, "name": "Contain incident", "order": 3, "tag": "a34be9ce-1ac5-4b35-9720-f3d50a33243b", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f9af170b-9aa7-4914-9e7c-59ba2128d1da", "create_time": 1762280887.41683, "update_time": 1762280887.4168303, "name": "Eradication", "order": 4, "tasks": [{"id": "16fd1501-b42b-440f-a2d2-54e698e12892", "create_time": 1762280887.4165573, "update_time": 1762280887.4165576, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "d9e85137-1503-4f1f-8765-c580516814cb", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e43e6862-a78b-4eef-b5b1-63782650ea28", "create_time": 1762280887.4166672, "update_time": 1762280887.4166675, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "b6ef4c01-da86-4383-80c2-bf565a7124e3", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3b9148a5-2780-4eb9-9e21-908163e62d7a", "create_time": 1762280887.4167752, "update_time": 1762280887.4167757, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "9f3c7353-cc4b-4e1f-8f89-ccd153468278", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d9ad55cf-ece3-4090-bf43-5ef24995a891", "create_time": 1762280887.4172246, "update_time": 1762280887.4172251, "name": "Recovery", "order": 5, "tasks": [{"id": "7f3ccff8-bd53-44b4-8ef3-cc333aa1c6e1", "create_time": 1762280887.4169493, "update_time": 1762280887.4169497, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "dec11e17-d2b6-41e4-8490-a500262e1991", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0209cfd0-91b3-4d4c-a8a6-266cf0a2302d", "create_time": 1762280887.4170604, "update_time": 1762280887.4170609, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "cb1b051b-25d0-4fd3-b4bb-85c16c19d55b", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f55fd9d7-8fd5-4920-90e5-34bc82625e80", "create_time": 1762280887.4171677, "update_time": 1762280887.417168, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "59e40624-72dd-498a-bd4c-297cace98c29", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ec68a4cd-daca-4bc0-848b-b586a070c8e4", "create_time": 1762280887.4176192, "update_time": 1762280887.4176197, "name": "Post", "order": 6, "tasks": [{"id": "f6565b96-cd55-4264-b509-908e52a29e3a", "create_time": 1762280887.4173315, "update_time": 1762280887.4173317, "name": "Schedule after-action review meeting", "order": 1, "tag": "515c3f1b-d0ee-4866-8980-7704cd34c6d7", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e5e2f646-64bb-4c59-b10d-c497625327fd", "create_time": 1762280887.4174387, "update_time": 1762280887.417439, "name": "Generate incident response action report", "order": 2, "tag": "00fe59eb-19cd-45dc-ac55-66dfd78e3dbd", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d74ad240-caa8-4c00-91ab-ab033e7f38a1", "create_time": 1762280887.4175637, "update_time": 1762280887.4175642, "name": "Report incident response complete", "order": 3, "tag": "f8bfdc47-6329-4465-a93f-47e6fbadd006", "description": "Alert appropriate parties that incident response is complete.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "7bd3e9e3-414a-4075-8846-8573bc637192", "active": true, "used": false, "_user": "nobody", "_key": "5d656a90-fe91-4c8f-8460-fa2599a17f75"}
1 change: 1 addition & 0 deletions response_templates/SuspiciousEmail_v1.json
View file
Open in desktop

Large diffs are not rendered by default.

50 changes: 50 additions & 0 deletions response_templates/TestMultiVersion_v4.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"id": "27b78044-1eca-43c2-9207-b5afe3075a81",
"create_time": 1762292283.131341,
"update_time": 1762292294.8144422,
"name": "Test%20Multi%20Version",
"description": "",
"template_status": "published",
"creator": "zen_admin",
"updated_by": "zen_admin",
"is_default": false,
"version": 4,
"phases": [
{
"id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15",
"create_time": 1762292292.855246,
"update_time": 1762292294.7901058,
"name": "Test%20Phase",
"order": 1,
"tasks": [
{
"id": "096e2f14-866e-404e-819b-a1155ac0084b",
"create_time": 1762292292.855151,
"update_time": 1762292294.790007,
"name": "Test%20Task",
"order": 1,
"tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a",
"description": "",
"owner": "",
"is_note_required": true,
"status": "Pending",
"notes": [],
"files": [],
"suggestions": {
"playbooks": [],
"actions": [],
"searches": []
},
"start_time": 0,
"end_time": 0,
"total_time_taken": 0
}
]
}
],
"template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8",
"active": true,
"used": false,
"_user": "nobody",
"_key": "27b78044-1eca-43c2-9207-b5afe3075a81"
}
1 change: 1 addition & 0 deletions response_templates/TestMultiVersion_v5.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"id": "27b78044-1eca-43c2-9207-b5afe3075a81", "create_time": 1762292283.131341, "update_time": 1762292328.3112774, "name": "Test%20Multi%20Version", "description": "", "template_status": "published", "creator": "zen_admin", "updated_by": "zen_admin", "is_default": false, "version": 5, "phases": [{"id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15", "create_time": 1762292328.2866068, "update_time": 1762292328.2866073, "name": "Test%20Phase", "order": 1, "tasks": [{"id": "096e2f14-866e-404e-819b-a1155ac0084b", "create_time": 1762292292.855151, "update_time": 1762292328.2865093, "name": "Test%20Task%20V3", "order": 1, "tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a", "description": "", "owner": "", "is_note_required": true, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8", "active": true, "used": false, "_user": "nobody", "_key": "27b78044-1eca-43c2-9207-b5afe3075a81"}
Loading
Loading