<!DOCTYPE html> <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]--> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="shortcut icon" href="img/favicon.ico"> <title>RE&CT Framework (EN) - RE&CT</title> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700" /> <link rel="stylesheet" href="css/theme.css" /> <link rel="stylesheet" href="css/theme_extra.css" /> <script> // Current page data var mkdocs_page_name = "RE\u0026CT Framework (EN)"; var mkdocs_page_input_path = "index.md"; var mkdocs_page_url = null; </script> <script src="js/jquery-2.1.1.min.js" defer></script> <script src="js/modernizr-2.8.3.min.js" defer></script> <script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-165240552-2', 'https://atc-project.github.io/atc-react/'); ga('send', 'pageview'); </script> </head> <body class="wy-body-for-nav" role="document"> <div class="wy-grid-for-nav"> <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav"> <div class="wy-side-scroll"> <div class="wy-side-nav-search"> <a href="." class="icon icon-home"> RE&CT</a> </div> <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation"> <p class="caption"><span class="caption-text">Introduction</span></p> <ul class="current"> <li class="toctree-l1 current"><a class="reference internal current" href=".">RE&CT Framework (EN)</a> </li> <li class="toctree-l1"><a class="reference internal" href="index_RU/">RE&CT Framework (RU)</a> </li> <li class="toctree-l1"><a class="reference internal" href="responsestages/">Response Stages</a> </li> </ul> <p class="caption"><span class="caption-text">Response Actions</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="#">Preparation</a> <ul> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1001_practice/">RA1001: Practice</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1002_take_trainings/">RA1002: Take trainings</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1003_raise_personnel_awareness/">RA1003: Raise personnel awareness</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1004_make_personnel_report_suspicious_activity/">RA1004: Make personnel report suspicious activity</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1005_set_up_relevant_data_collection/">RA1005: Set up relevant data collection</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1006_set_up_a_centralized_long-term_log_storage/">RA1006: Set up a centralized long-term log storage</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1007_develop_communication_map/">RA1007: Develop communication map</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1008_make_sure_there_are_backups/">RA1008: Make sure there are backups</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1009_get_network_architecture_map/">RA1009: Get network architecture map</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1010_get_access_control_matrix/">RA1010: Get access control matrix</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1011_develop_assets_knowledge_base/">RA1011: Develop assets knowledge base</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1012_check_analysis_toolset/">RA1012: Check analysis toolset</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1013_access_vulnerability_management_system_logs/">RA1013: Access vulnerability management system logs</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1014_connect_with_trusted_communities/">RA1014: Connect with trusted communities</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1101_access_external_network_flow_logs/">RA1101: Access external network flow logs</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1102_access_internal_network_flow_logs/">RA1102: Access internal network flow logs</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1103_access_internal_http_logs/">RA1103: Access internal HTTP logs</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1104_access_external_http_logs/">RA1104: Access external HTTP logs</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1105_access_internal_dns_logs/">RA1105: Access internal DNS logs</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1106_access_external_dns_logs/">RA1106: Access external DNS logs</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1107_access_vpn_logs/">RA1107: Access VPN logs</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1108_access_dhcp_logs/">RA1108: Access DHCP logs</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1109_access_internal_packet_capture_data/">RA1109: Access internal packet capture data</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1110_access_external_packet_capture_data/">RA1110: Access external packet capture data</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1111_get_ability_to_block_external_ip_address/">RA1111: Get ability to block external IP address</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1112_get_ability_to_block_internal_ip_address/">RA1112: Get ability to block internal IP address</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1113_get_ability_to_block_external_domain/">RA1113: Get ability to block external domain</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1114_get_ability_to_block_internal_domain/">RA1114: Get ability to block internal domain</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1115_get_ability_to_block_external_url/">RA1115: Get ability to block external URL</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1116_get_ability_to_block_internal_url/">RA1116: Get ability to block internal URL</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1117_get_ability_to_block_port_external_communication/">RA1117: Get ability to block port external communication</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1118_get_ability_to_block_port_internal_communication/">RA1118: Get ability to block port internal communication</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1119_get_ability_to_block_user_external_communication/">RA1119: Get ability to block user external communication</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1120_get_ability_to_block_user_internal_communication/">RA1120: Get ability to block user internal communication</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1121_get_ability_to_find_data_transferred_by_content_pattern/">RA1121: Get ability to find data transferred by content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1122_get_ability_to_block_data_transferring_by_content_pattern/">RA1122: Get ability to block data transferring by content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1123_get_ability_to_list_data_transferred/">RA1123: Get ability to list data transferred</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1124_get_ability_to_collect_transferred_data/">RA1124: Get ability to collect transferred data</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1125_get_ability_to_identify_transferred_data/">RA1125: Get ability to identify transferred data</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1126_find_data_transferred_by_content_pattern/">RA1126: Find data transferred by content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1127_get_ability_to_analyse_user-agent/">RA1127: Get ability to analyse user-agent</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1128_get_ability_to_list_firewall_rules/">RA1128: Get ability to list Firewall rules</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1201_get_ability_to_list_users_opened_email_message/">RA1201: Get ability to list users opened email message</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1202_get_ability_to_list_email_message_receivers/">RA1202: Get ability to list email message receivers</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1203_get_ability_to_block_email_domain/">RA1203: Get ability to block email domain</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1204_get_ability_to_block_email_sender/">RA1204: Get ability to block email sender</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1205_get_ability_to_delete_email_message/">RA1205: Get ability to delete email message</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1206_get_ability_to_quarantine_email_message/">RA1206: Get ability to quarantine email message</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1207_get_ability_to_collect_email_message/">RA1207: Get ability to collect email message</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1208_get_ability_to_analyse_email_address/">RA1208: Get ability to analyse email address</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1301_get_ability_to_list_files_created/">RA1301: Get ability to list files created</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1302_get_ability_to_list_files_modified/">RA1302: Get ability to list files modified</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1303_get_ability_to_list_files_deleted/">RA1303: Get ability to list files deleted</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1304_get_ability_to_list_files_downloaded/">RA1304: Get ability to list files downloaded</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1305_get_ability_to_list_files_with_tampered_timestamps/">RA1305: Get ability to list files with tampered timestamps</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1306_get_ability_to_find_file_by_path/">RA1306: Get ability to find file by path</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1307_get_ability_to_find_file_by_metadata/">RA1307: Get ability to find file by metadata</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1308_get_ability_to_find_file_by_hash/">RA1308: Get ability to find file by hash</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1309_get_ability_to_find_file_by_format/">RA1309: Get ability to find file by format</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1310_get_ability_to_find_file_by_content_pattern/">RA1310: Get ability to find file by content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1311_get_ability_to_collect_file/">RA1311: Get ability to collect file</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1312_get_ability_to_quarantine_file_by_path/">RA1312: Get ability to quarantine file by path</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1313_get_ability_to_quarantine_file_by_hash/">RA1313: Get ability to quarantine file by hash</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1314_get_ability_to_quarantine_file_by_format/">RA1314: Get ability to quarantine file by format</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1315_get_ability_to_quarantine_file_by_content_pattern/">RA1315: Get ability to quarantine file by content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1316_get_ability_to_remove_file/">RA1316: Get ability to remove file</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1317_get_ability_to_analyse_file_hash/">RA1317: Get ability to analyse file hash</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1318_get_ability_to_analyse_windows_pe/">RA1318: Get ability to analyse Windows PE</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1319_get_ability_to_analyse_macos_macho/">RA1319: Get ability to analyse macos macho</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1320_get_ability_to_analyse_unix_elf/">RA1320: Get ability to analyse Unix ELF</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1321_get_ability_to_analyse_ms_office_file/">RA1321: Get ability to analyse MS office file</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1322_get_ability_to_analyse_pdf_file/">RA1322: Get ability to analyse PDF file</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1323_get_ability_to_analyse_script/">RA1323: Get ability to analyse script</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1324_get_ability_to_analyse_jar/">RA1324: Get ability to analyse jar</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1325_get_ability_to_analyse_filename/">RA1325: Get ability to analyse filename</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1401_get_ability_to_list_processes_executed/">RA1401: Get ability to list processes executed</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1402_get_ability_to_find_process_by_executable_path/">RA1402: Get ability to find process by executable path</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1403_get_ability_to_find_process_by_executable_metadata/">RA1403: Get ability to find process by executable metadata</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1404_get_ability_to_find_process_by_executable_hash/">RA1404: Get ability to find process by executable hash</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1405_get_ability_to_find_process_by_executable_format/">RA1405: Get ability to find process by executable format</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1406_get_ability_to_find_process_by_executable_content_pattern/">RA1406: Get ability to find process by executable content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1407_get_ability_to_block_process_by_executable_path/">RA1407: Get ability to block process by executable path</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1408_get_ability_to_block_process_by_executable_metadata/">RA1408: Get ability to block process by executable metadata</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1409_get_ability_to_block_process_by_executable_hash/">RA1409: Get ability to block process by executable hash</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1410_get_ability_to_block_process_by_executable_format/">RA1410: Get ability to block process by executable format</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1411_get_ability_to_block_process_by_executable_content_pattern/">RA1411: Get ability to block process by executable content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1501_manage_remote_computer_management_system_policies/">RA1501: Manage remote computer management system policies</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1502_get_ability_to_list_registry_keys_modified/">RA1502: Get ability to list registry keys modified</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1503_get_ability_to_list_registry_keys_deleted/">RA1503: Get ability to list registry keys deleted</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1504_get_ability_to_list_registry_keys_accessed/">RA1504: Get ability to list registry keys accessed</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1505_get_ability_to_list_registry_keys_created/">RA1505: Get ability to list registry keys created</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1506_get_ability_to_list_services_created/">RA1506: Get ability to list services created</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1507_get_ability_to_list_services_modified/">RA1507: Get ability to list services modified</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1508_get_ability_to_list_services_deleted/">RA1508: Get ability to list services deleted</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1509_get_ability_to_remove_registry_key/">RA1509: Get ability to remove registry key</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1510_get_ability_to_remove_service/">RA1510: Get ability to remove service</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1511_get_ability_to_analyse_registry_key/">RA1511: Get ability to analyse registry key</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1601_manage_identity_management_system/">RA1601: Manage identity management system</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1602_get_ability_to_lock_user_account/">RA1602: Get ability to lock user account</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1603_get_ability_to_list_users_authenticated/">RA1603: Get ability to list users authenticated</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1604_get_ability_to_revoke_authentication_credentials/">RA1604: Get ability to revoke authentication credentials</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1605_get_ability_to_remove_user_account/">RA1605: Get ability to remove user account</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_1606_get_ability_to_list_user_accounts/">RA1606: Get ability to list user accounts</a> </li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="#">Identification</a> <ul> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2001_list_victims_of_security_alert/">RA2001: List victims of security alert</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2002_list_host_vulnerabilities/">RA2002: List host vulnerabilities</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2003_put_compromised_accounts_on_monitoring/">RA2003: Put compromised accounts on monitoring</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2101_list_hosts_communicated_with_internal_domain/">RA2101: List hosts communicated with internal domain</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2102_list_hosts_communicated_with_internal_ip/">RA2102: List hosts communicated with internal IP</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2103_list_hosts_communicated_with_internal_url/">RA2103: List hosts communicated with internal URL</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2104_analyse_domain_name/">RA2104: Analyse domain name</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2105_analyse_ip/">RA2105: Analyse IP</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2106_analyse_uri/">RA2106: Analyse uri</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2107_list_hosts_communicated_by_port/">RA2107: List hosts communicated by port</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2108_list_hosts_connected_to_vpn/">RA2108: List hosts connected to VPN</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2109_list_hosts_connected_to_intranet/">RA2109: List hosts connected to intranet</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2110_list_data_transferred/">RA2110: List data transferred</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2111_collect_transferred_data/">RA2111: Collect transferred data</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2112_identify_transferred_data/">RA2112: Identify transferred data</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2113_list_hosts_communicated_with_external_domain/">RA2113: List hosts communicated with external domain</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2114_list_hosts_communicated_with_external_ip/">RA2114: List hosts communicated with external IP</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2115_list_hosts_communicated_with_external_url/">RA2115: List hosts communicated with external URL</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2116_find_data_transferred_by_content_pattern/">RA2116: Find data transferred by content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2117_analyse_user-agent/">RA2117: Analyse user-agent</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2118_list_firewall_rules/">RA2118: List Firewall rules</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2201_list_users_opened_email_message/">RA2201: List users opened email message</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2202_collect_email_message/">RA2202: Collect email message</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2203_list_email_message_receivers/">RA2203: List email message receivers</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2204_make_sure_email_message_is_phishing/">RA2204: Make sure email message is phishing</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2205_extract_observables_from_email_message/">RA2205: Extract observables from email message</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2206_analyse_email_address/">RA2206: Analyse email address</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2301_list_files_created/">RA2301: List files created</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2302_list_files_modified/">RA2302: List files modified</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2303_list_files_deleted/">RA2303: List files deleted</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2304_list_files_downloaded/">RA2304: List files downloaded</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2305_list_files_with_tampered_timestamps/">RA2305: List files with tampered timestamps</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2306_find_file_by_path/">RA2306: Find file by path</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2307_find_file_by_metadata/">RA2307: Find file by metadata</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2308_find_file_by_hash/">RA2308: Find file by hash</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2309_find_file_by_format/">RA2309: Find file by format</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2310_find_file_by_content_pattern/">RA2310: Find file by content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2311_collect_file/">RA2311: Collect file</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2312_analyse_file_hash/">RA2312: Analyse file hash</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2313_analyse_windows_pe/">RA2313: Analyse Windows PE</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2314_analyse_macos_macho/">RA2314: Analyse macos macho</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2315_analyse_unix_elf/">RA2315: Analyse Unix ELF</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2316_analyse_ms_office_file/">RA2316: Analyse MS office file</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2317_analyse_pdf_file/">RA2317: Analyse PDF file</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2318_analyse_script/">RA2318: Analyse script</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2319_analyse_jar/">RA2319: Analyse jar</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2320_analyse_filename/">RA2320: Analyse filename</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2401_list_processes_executed/">RA2401: List processes executed</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2402_find_process_by_executable_path/">RA2402: Find process by executable path</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2403_find_process_by_executable_metadata/">RA2403: Find process by executable metadata</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2404_find_process_by_executable_hash/">RA2404: Find process by executable hash</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2405_find_process_by_executable_format/">RA2405: Find process by executable format</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2406_find_process_by_executable_content_pattern/">RA2406: Find process by executable content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2501_list_registry_keys_modified/">RA2501: List registry keys modified</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2502_list_registry_keys_deleted/">RA2502: List registry keys deleted</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2503_list_registry_keys_accessed/">RA2503: List registry keys accessed</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2504_list_registry_keys_created/">RA2504: List registry keys created</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2505_list_services_created/">RA2505: List services created</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2506_list_services_modified/">RA2506: List services modified</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2507_list_services_deleted/">RA2507: List services deleted</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2508_analyse_registry_key/">RA2508: Analyse registry key</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2601_list_users_authenticated/">RA2601: List users authenticated</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_2602_list_user_accounts/">RA2602: List user accounts</a> </li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="#">Containment</a> <ul> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3001_patch_vulnerability/">RA3001: Patch vulnerability</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3101_block_external_ip_address/">RA3101: Block external IP address</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3102_block_internal_ip_address/">RA3102: Block internal IP address</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3103_block_external_domain/">RA3103: Block external domain</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3104_block_internal_domain/">RA3104: Block internal domain</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3105_block_external_url/">RA3105: Block external URL</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3106_block_internal_url/">RA3106: Block internal URL</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3107_block_port_external_communication/">RA3107: Block port external communication</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3108_block_port_internal_communication/">RA3108: Block port internal communication</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3109_block_user_external_communication/">RA3109: Block user external communication</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3110_block_user_internal_communication/">RA3110: Block user internal communication</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3111_block_data_transferring_by_content_pattern/">RA3111: Block data transferring by content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3201_block_domain_on_email/">RA3201: Block domain on email</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3202_block_sender_on_email/">RA3202: Block sender on email</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3203_quarantine_email_message/">RA3203: Quarantine email message</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3301_quarantine_file_by_format/">RA3301: Quarantine file by format</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3302_quarantine_file_by_hash/">RA3302: Quarantine file by hash</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3303_quarantine_file_by_path/">RA3303: Quarantine file by path</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3304_quarantine_file_by_content_pattern/">RA3304: Quarantine file by content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3401_block_process_by_executable_path/">RA3401: Block process by executable path</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3402_block_process_by_executable_metadata/">RA3402: Block process by executable metadata</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3403_block_process_by_executable_hash/">RA3403: Block process by executable hash</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3404_block_process_by_executable_format/">RA3404: Block process by executable format</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3405_block_process_by_executable_content_pattern/">RA3405: Block process by executable content pattern</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3501_disable_system_service/">RA3501: Disable system service</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_3601_lock_user_account/">RA3601: Lock user account</a> </li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="#">Eradication</a> <ul> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_4001_report_incident_to_external_companies/">RA4001: Report incident to external companies</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_4101_remove_rogue_network_device/">RA4101: Remove rogue network device</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_4201_delete_email_message/">RA4201: Delete email message</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_4301_remove_file/">RA4301: Remove file</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_4501_remove_registry_key/">RA4501: Remove registry key</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_4502_remove_service/">RA4502: Remove service</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_4601_revoke_authentication_credentials/">RA4601: Revoke authentication credentials</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_4602_remove_user_account/">RA4602: Remove user account</a> </li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="#">Recovery</a> <ul> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5001_reinstall_host_from_golden_image/">RA5001: Reinstall host from golden image</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5002_restore_data_from_backup/">RA5002: Restore data from backup</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5101_unblock_blocked_ip/">RA5101: Unblock blocked IP</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5102_unblock_blocked_domain/">RA5102: Unblock blocked domain</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5103_unblock_blocked_url/">RA5103: Unblock blocked URL</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5104_unblock_blocked_port/">RA5104: Unblock blocked port</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5105_unblock_blocked_user/">RA5105: Unblock blocked user</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5201_unblock_domain_on_email/">RA5201: Unblock domain on email</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5202_unblock_sender_on_email/">RA5202: Unblock sender on email</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5203_restore_quarantined_email_message/">RA5203: Restore quarantined email message</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5301_restore_quarantined_file/">RA5301: Restore quarantined file</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5401_unblock_blocked_process/">RA5401: Unblock blocked process</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5501_enable_disabled_service/">RA5501: Enable disabled service</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_5601_unlock_locked_user_account/">RA5601: Unlock locked user account</a> </li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="#">Lessons learned</a> <ul> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_6001_develop_incident_report/">RA6001: Develop incident report</a> </li> <li class="toctree-l2"><a class="reference internal" href="Response_Actions/RA_6002_conduct_lessons_learned_exercise/">RA6002: Conduct lessons learned exercise</a> </li> </ul> </li> </ul> <p class="caption"><span class="caption-text">Response Playbooks</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="Response_Playbooks/RP_0001_phishing_email/">RP0001: Phishing email</a> </li> </ul> </div> </div> </nav> <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"> <nav class="wy-nav-top" role="navigation" aria-label="top navigation"> <i data-toggle="wy-nav-top" class="fa fa-bars"></i> <a href=".">RE&CT</a> </nav> <div class="wy-nav-content"> <div class="rst-content"> <div role="navigation" aria-label="breadcrumbs navigation"> <ul class="wy-breadcrumbs"> <li><a href=".">Docs</a> &raquo;</li> <li>Introduction &raquo;</li> <li>RE&CT Framework (EN)</li> <li class="wy-breadcrumbs-aside"> <a href="https://github.com/atc-project/atc-react/blob/master/docs/index.md" class="icon icon-github"> Edit on GitHub</a> </li> </ul> <hr/> </div> <div role="main"> <div class="section"> <p><a href="index_RU/">Русская версия</a></p> <h1 id="rect">RE&amp;CT</h1> <p><img alt="" src="images/logo_v2.png" /></p> <p>The RE&amp;CT Framework is designed for accumulating, describing and categorizing actionable Incident Response techniques. </p> <p>RE&amp;CT's philosophy is based on the <a href="https://attack.mitre.org/">MITRE's ATT&amp;CK</a> framework.<br /> The columns represent <a href="responsestages/">Response Stages</a>.<br /> The cells repsresent <a href="#response-action">Response Actions</a>. </p> <p>The main use cases are:</p> <ul> <li>Prioritization of Incident Response capabilities development, including skills development, technical measures acquisition/deployment, internal procedures development, etc</li> <li>Gap analysis — determine "coverage" of existing Incident Response capabilities</li> </ul> <p>The main resources:</p> <ul> <li><a href="https://atc-project.github.io/react-navigator/">RE&amp;CT Navigator</a> (modified <a href="https://github.com/mitre-attack/attack-navigator">ATT&amp;CK Navigator</a>) for visualization and observing the big picture </li> <li>Automatically generated RE&amp;CT <a href="https://atc-project.github.io/atc-react/">website</a> is the best place for getting details about existing analytics </li> <li>Automatically generated <a href="https://atomicthreatcoverage.atlassian.net/wiki/spaces/REACT/pages/755469668/Response+Stages">Atlassian Confluence knowledge base</a> - exporting functionality demonstration </li> </ul> <table> <thead> <tr> <th align="center">Preparation</th> <th align="center">Identification</th> <th align="center">Containment</th> <th align="center">Eradication</th> <th align="center">Recovery</th> <th align="center">Lessons Learned</th> </tr> </thead> <tbody> <tr> <td align="center"><a href="Response_Actions/RA_1001_practice/"><strong>Practice</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/49">List victims of security alert*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/234">Patch vulnerability*</a></td> <td align="center"><a href="Response_Actions/RA_4001_report_incident_to_external_companies/"><strong>Report incident to external companies</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/38">Reinstall host from golden image*</a></td> <td align="center"><a href="Response_Actions/RA_6001_develop_incident_report/"><strong>Develop incident report</strong></a></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1002_take_trainings/"><strong>Take trainings</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/204">List host vulnerabilities*</a></td> <td align="center"><a href="Response_Actions/RA_3101_block_external_ip_address/"><strong>Block external IP address</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/247">Remove rogue network device*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/252">Restore data from backup*</a></td> <td align="center"><a href="Response_Actions/RA_6002_conduct_lessons_learned_exercise/"><strong>Conduct lessons learned exercise</strong></a></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1003_raise_personnel_awareness/"><strong>Raise personnel awareness</strong></a></td> <td align="center"><a href="Response_Actions/RA_2003_put_compromised_accounts_on_monitoring/"><strong>Put compromised accounts on monitoring</strong></a></td> <td align="center"><a href="Response_Actions/RA_3102_block_internal_ip_address/"><strong>Block internal IP address</strong></a></td> <td align="center"><a href="Response_Actions/RA_4201_delete_email_message/"><strong>Delete email message</strong></a></td> <td align="center"><a href="Response_Actions/RA_5101_unblock_blocked_ip/"><strong>Unblock blocked IP</strong></a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1004_make_personnel_report_suspicious_activity/"><strong>Make personnel report suspicious activity</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/45">List hosts communicated with internal domain*</a></td> <td align="center"><a href="Response_Actions/RA_3103_block_external_domain/"><strong>Block external domain</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/248">Remove file*</a></td> <td align="center"><a href="Response_Actions/RA_5102_unblock_blocked_domain/"><strong>Unblock blocked domain</strong></a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/132">Set up relevant data collection*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/46">List hosts communicated with internal IP*</a></td> <td align="center"><a href="Response_Actions/RA_3104_block_internal_domain/"><strong>Block internal domain</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/249">Remove registry key*</a></td> <td align="center"><a href="Response_Actions/RA_5103_unblock_blocked_url/"><strong>Unblock blocked URL</strong></a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/133">Set up a centralized long-term log storage*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/47">List hosts communicated with internal URL*</a></td> <td align="center"><a href="Response_Actions/RA_3105_block_external_url/"><strong>Block external URL</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/250">Remove service*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/253">Unblock blocked port*</a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/134">Develop communication map*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/31">Analyse domain name*</a></td> <td align="center"><a href="Response_Actions/RA_3106_block_internal_url/"><strong>Block internal URL</strong></a></td> <td align="center"><a href="Response_Actions/RA_4601_revoke_authentication_credentials/"><strong>Revoke authentication credentials</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/254">Unblock blocked user*</a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/135">Make sure there are backups*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/40">Analyse IP*</a></td> <td align="center"><a href="Response_Actions/RA_3107_block_port_external_communication/"><strong>Block port external communication</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/251">Remove user account*</a></td> <td align="center"><a href="Response_Actions/RA_5201_unblock_domain_on_email/"><strong>Unblock domain on email</strong></a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/136">Get network architecture map*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/32">Analyse URI*</a></td> <td align="center"><a href="Response_Actions/RA_3108_block_port_internal_communication/"><strong>Block port internal communication</strong></a></td> <td align="center"></td> <td align="center"><a href="Response_Actions/RA_5202_unblock_sender_on_email/"><strong>Unblock sender on email</strong></a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/137">Get access control matrix*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/205">List hosts communicated by port*</a></td> <td align="center"><a href="Response_Actions/RA_3109_block_user_external_communication/"><strong>Block user external communication</strong></a></td> <td align="center"></td> <td align="center"><a href="Response_Actions/RA_5203_restore_quarantined_email_message/"><strong>Restore quarantined email message</strong></a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/138">Develop assets knowledge base*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/206">List hosts connected to VPN*</a></td> <td align="center"><a href="Response_Actions/RA_3110_block_user_internal_communication/"><strong>Block user internal communication</strong></a></td> <td align="center"></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/255">Restore quarantined file*</a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/139">Check analysis toolset*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/207">List hosts connected to intranet*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/235">Block data transferring by content pattern*</a></td> <td align="center"></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/256">Unblock blocked process*</a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/140">Access vulnerability management system logs*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/208">List data transferred*</a></td> <td align="center"><a href="Response_Actions/RA_3201_block_domain_on_email/"><strong>Block domain on email</strong></a></td> <td align="center"></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/257">Enable disabled service*</a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1014_connect_with_trusted_communities/"><strong>Connect with trusted communities</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/209">Collect transferred data*</a></td> <td align="center"><a href="Response_Actions/RA_3202_block_sender_on_email/"><strong>Block sender on email</strong></a></td> <td align="center"></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/258">Unlock locked user account*</a></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1101_access_external_network_flow_logs/"><strong>Access external network flow logs</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/210">Identify transferred data*</a></td> <td align="center"><a href="Response_Actions/RA_3203_quarantine_email_message/"><strong>Quarantine email message</strong></a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/141">Access internal network flow logs*</a></td> <td align="center"><a href="Response_Actions/RA_2113_list_hosts_communicated_with_external_domain/"><strong>List hosts communicated with external domain</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/236">Quarantine file by format*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/142">Access internal HTTP logs*</a></td> <td align="center"><a href="Response_Actions/RA_2114_list_hosts_communicated_with_external_ip/"><strong>List hosts communicated with external IP</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/237">Quarantine file by hash*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1104_access_external_http_logs/"><strong>Access external HTTP logs</strong></a></td> <td align="center"><a href="Response_Actions/RA_2115_list_hosts_communicated_with_external_url/"><strong>List hosts communicated with external URL</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/238">Quarantine file by path*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/143">Access internal DNS logs*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/211">Find data transferred by content pattern*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/239">Quarantine file by content pattern*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1106_access_external_dns_logs/"><strong>Access external DNS logs</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/306">Analyse user-agent*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/240">Block process by executable path*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/144">Access VPN logs*</a></td> <td align="center"><a href="Response_Actions/RA_2201_list_users_opened_email_message/"><strong>List users opened email message</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/241">Block process by executable metadata*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/145">Access DHCP logs*</a></td> <td align="center"><a href="Response_Actions/RA_2202_collect_email_message/"><strong>Collect email message</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/242">Block process by executable hash*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/146">Access internal packet capture data*</a></td> <td align="center"><a href="Response_Actions/RA_2203_list_email_message_receivers/"><strong>List email message receivers</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/243">Block process by executable format*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/147">Access external packet capture data*</a></td> <td align="center"><a href="Response_Actions/RA_2204_make_sure_email_message_is_phishing/"><strong>Make sure email message is phishing</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/244">Block process by executable content pattern*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1111_get_ability_to_block_external_ip_address/"><strong>Get ability to block external IP address</strong></a></td> <td align="center"><a href="Response_Actions/RA_2205_extract_observables_from_email_message/"><strong>Extract observables from email message</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/245">Disable system service*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/148">Get ability to block internal IP address*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/307">Analyse email address*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/246">Lock user account*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1113_get_ability_to_block_external_domain/"><strong>Get ability to block external domain</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/48">List files created*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/149">Get ability to block internal domain*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/212">List files modified*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1115_get_ability_to_block_external_url/"><strong>Get ability to block external URL</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/213">List files deleted*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/150">Get ability to block internal URL*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/214">List files downloaded*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/151">Get ability to block port external communication*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/215">List files with tampered timestamps*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/152">Get ability to block port internal communication*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/216">Find file by path*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/153">Get ability to block user external communication*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/217">Find file by metadata*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/154">Get ability to block user internal communication*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/218">Find file by hash*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/155">Get ability to find data transferred by content pattern*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/219">Find file by format*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/156">Get ability to block data transferring by content pattern*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/220">Find file by content pattern*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/157">Get ability to list data transferred*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/221">Collect file*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/158">Get ability to collect transferred data*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/39">Analyse file hash*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/159">Get ability to identify transferred data*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/33">Analyse Windows PE*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/211">Find data transferred by content pattern*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/41">Analyse macos macho*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/312">Get ability to analyse user-agent*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/44">Analyse Unix ELF*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1201_get_ability_to_list_users_opened_email_message/"><strong>Get ability to list users opened email message</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/42">Analyse MS office file*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1202_get_ability_to_list_email_message_receivers/"><strong>Get ability to list email message receivers</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/43">Analyse PDF file*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1203_get_ability_to_block_email_domain/"><strong>Get ability to block email domain</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/274">Analyse script*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1204_get_ability_to_block_email_sender/"><strong>Get ability to block email sender</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/308">Analyse jar*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1205_get_ability_to_delete_email_message/"><strong>Get ability to delete email message</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/309">Analyse filename*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="Response_Actions/RA_1206_get_ability_to_quarantine_email_message/"><strong>Get ability to quarantine email message</strong></a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/34">List processes executed*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/161">Get ability to collect email message*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/222">Find process by executable path*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/313">Get ability to analyse email address*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/223">Find process by executable metadata*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/162">Get ability to list files created*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/224">Find process by executable hash*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/163">Get ability to list files modified*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/225">Find process by executable format*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/164">Get ability to list files deleted*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/226">Find process by executable content pattern*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/165">Get ability to list files downloaded*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/37">List registry keys modified*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/166">Get ability to list files with tampered timestamps*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/227">List registry keys deleted*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/167">Get ability to find file by path*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/228">List registry keys accessed*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/168">Get ability to find file by metadata*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/229">List registry keys created*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/169">Get ability to find file by hash*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/230">List services created*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/170">Get ability to find file by format*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/231">List services modified*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/171">Get ability to find file by content pattern*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/232">List services deleted*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/172">Get ability to collect file*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/310">Analyse registry key*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/173">Get ability to quarantine file by path*</a></td> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/233">List users authenticated*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/174">Get ability to quarantine file by hash*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/175">Get ability to quarantine file by format*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/176">Get ability to quarantine file by content pattern*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/177">Get ability to remove file*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/267">Get ability to analyse file hash*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/268">Get ability to analyse windows pe*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/269">Get ability to analyse macos macho*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/270">Get ability to analyse unix elf*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/271">Get ability to analyse ms office file*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/272">Get ability to analyse pdf file*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/273">Get ability to analyse script*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/314">Get ability to analyse jar*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/315">Get ability to analyse filename*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/178">Get ability to list processes executed*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/179">Get ability to find process by executable path*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/180">Get ability to find process by executable metadata*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/181">Get ability to find process by executable hash*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/182">Get ability to find process by executable format*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/183">Get ability to find process by executable content pattern*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/184">Get ability to block process by executable path*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/185">Get ability to block process by executable metadata*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/186">Get ability to block process by executable hash*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/187">Get ability to block process by executable format*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/188">Get ability to block process by executable content pattern*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/189">Manage remote computer management system policies*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/190">Get ability to list registry keys modified*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/191">Get ability to list registry keys deleted*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/192">Get ability to list registry keys accessed*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/193">Get ability to list registry keys created*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/194">Get ability to list services created*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/195">Get ability to list services modified*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/196">Get ability to list services deleted*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/197">Get ability to remove registry key*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/198">Get ability to remove service*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/316">Get ability to analyse registry key*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/199">Manage identity management system*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/200">Get ability to lock user account*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/201">Get ability to list users authenticated*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/202">Get ability to revoke authentication credentials*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"><a href="https://github.com/atc-project/atc-react/issues/203">Get ability to remove user account*</a></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> <tr> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> <td align="center"></td> </tr> </tbody> </table> <p><br></p> <p>Response Actions marked by "*" sign are just placeholders, listed to define the way RE&amp;CT will grow.<br /> The links lead to GitHub issues, that you can use to contribute your analytics.</p> <h2 id="actionable-analytics">Actionable Analytics</h2> <p>The ATC RE&amp;CT project inherits the "Actionable Analytics" paradigm from the <a href="https://github.com/atc-project/atomic-threat-coverage">ATC</a> project, which means that the analytics are:</p> <ul> <li><strong>human-readable</strong> (<code>.md</code>) for sharing/using in operations</li> <li><strong>machine-readable</strong> (<code>.yml</code>) for automatic processing/integrations</li> <li><strong>executable</strong> by Incident Response Platform (<a href="thehive_templates/">TheHive Case Templates</a> only, at the moment)</li> </ul> <p>Simply saying, the analytics are stored in <code>.yml</code> files, that are automatically converted to <code>.md</code> documents (with <a href="https://palletsprojects.com/p/jinja/">jinja</a>) and <code>.json</code> TheHive Case Templates.<br /> For information about customization and usage, please refer to the <a href="https://github.com/atc-project/atc-react#usage">usage</a> section of the project README. </p> <h3 id="response-action">Response Action</h3> <p>Response Action is a description of a specific atomic procedure/task that has to be executed during the Incident Response. It is an initial entity that is used to construct Response Playbooks. </p> <p>Each Response Action mapped to a specific <a href="responsestages/">Response Stage</a>.<br /> The first digit of the Response Action ID reflects a Stage it belongs to:</p> <ul> <li><strong>1</strong>: Preparation</li> <li><strong>2</strong>: Identification</li> <li><strong>3</strong>: Containment</li> <li><strong>4</strong>: Eradication</li> <li><strong>5</strong>: Recovery</li> <li><strong>6</strong>: Lessons Learned</li> </ul> <p>The second digit of the Response Action ID reflects a Category it belongs to:</p> <ul> <li><strong>0</strong>: General</li> <li><strong>1</strong>: Network</li> <li><strong>2</strong>: Email</li> <li><strong>3</strong>: File</li> <li><strong>4</strong>: Process</li> <li><strong>5</strong>: Configuration</li> <li><strong>6</strong>: Identity</li> </ul> <p>This way, using Response Action ID, you can see the Stage and Category it belongs to.<br /> For example, <a href="Response_Actions/RA_2202_collect_email_message/">RA<strong>22</strong>02: Collect an email message</a> is related to Stage <strong>2</strong> (Identification) and Category <strong>2</strong> (Email).</p> <p>The categorization aims to improve Incident Response process maturity assessment and roadmap development.</p> <h3 id="response-playbook">Response Playbook</h3> <p>Response Playbook is an Incident Response plan, that represents a complete list of procedures/tasks (Response Actions) that has to be executed to respond to a specific threat with optional mapping to the <a href="https://attack.mitre.org/">MITRE's ATT&amp;CK</a> or <a href="https://github.com/misinfosecproject/amitt_framework">Misinfosec's AMITT</a> frameworks.</p> <p>Response Playbook could include a description of the workflow, specific conditions/requirements, details on the order of Response Actions execution, or any other relevant information.</p> <h3 id="thehive-case-templates">TheHive Case Templates</h3> <p>TheHive Case Templates are built on top of the Response Playbooks. Each task in a Case Template is a Response Action (with full description). </p> <p>Here is the example of an imported TheHive Case Template:</p> <details> <summary>Imported TheHive Case Template, made on top of a Response Playbook (click to expand)</summary> <img src="images/thehive_case_template_v1.png" /> </details> <details> <summary>One of the Tasks in TheHive Case, made on top of a Response Action (click to expand)</summary> <img src="images/thehive_case_task_v1.png" /> </details> <p><br> TheHive Case Templates could be found in <code>docs/thehive_templates</code> directory and could be imported to TheHive via its web interface.</p> <h2 id="contacts">Contacts</h2> <ul> <li>Folow us on <a href="https://twitter.com/atc_project">Twitter</a> for updates</li> <li>Join discussions in <a href="https://join.slack.com/t/atomicthreatcoverage/shared_invite/zt-6ropl01z-wIdiq3M0AEZPj_HiKfbiBg">Slack</a> or <a href="https://t.me/atomic_threat_coverage">Telegram</a> </li> </ul> <h2 id="contributors">Contributors</h2> <ul> <li>Timur Zinniatullin, <a href="https://twitter.com/zinint">@zinint</a> </li> <li>Daniil Svetlov, <a href="https://twitter.com/Mr_4nders0n">@Mr_4nders0n</a> </li> <li>Andreas Hunkeler, <a href="https://github.com/Karneades">@Karneades</a></li> <li>Patrick Abraham, <a href="https://github.com/pjabes">@pjabes</a></li> <li>Lucas Berezy, <a href="https://github.com/lberezy">@lberezy</a></li> <li>Efe Erdur, <a href="https://github.com/efeerdur">@efeerdur</a></li> <li>Alejandro Ortuno, <a href="https://twitter.com/aomanzanera">@aomanzanera</a> </li> <li><a href="https://github.com/d3anp">@d3anp</a> </li> <li>Christoph Bott, <a href="https://github.com/xofolowski">@xofolowski</a> </li> </ul> <p>Would you like to become one? You are very welcome! Our <a href="https://github.com/atc-project/atc-react/blob/master/CONTRIBUTING.md">CONTRIBUTING</a> guideline is a good starting point.</p> <h2 id="roadmap">Roadmap</h2> <p>The roadmap and related discussions could be found in the project <a href="https://github.com/atc-project/atc-react/issues">issues</a> by labes:</p> <ul> <li><a href="https://github.com/atc-project/atc-react/issues?q=is%3Aissue+is%3Aopen+label%3Adiscussion">Discussions</a></li> <li><a href="https://github.com/atc-project/atc-react/issues?q=is%3Aissue+is%3Aopen+label%3Aquestion">Questions</a></li> <li><a href="https://github.com/atc-project/atc-react/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement">Enhancements</a></li> <li><a href="https://github.com/atc-project/atc-react/issues?q=is%3Aissue+is%3Aopen+label%3ARA-dev">Response Actions development</a></li> </ul> <h2 id="license">License</h2> <p>See the <a href="https://github.com/atc-project/atc-react/blob/master/LICENSE">LICENSE</a> file.</p> </div> </div> <footer> <hr/> <div role="contentinfo"> <!-- Copyright etc --> </div> Built with <a href="https://www.mkdocs.org/">MkDocs</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. </footer> </div> </div> </section> </div> <div class="rst-versions" role="note" aria-label="versions"> <span class="rst-current-version" data-toggle="rst-current-version"> <a href="https://github.com/atc-project/atc-react" class="fa fa-github" style="float: left; color: #fcfcfc"> GitHub</a> <span style="margin-left: 15px"><a href="index_RU/" style="color: #fcfcfc">Next &raquo;</a></span> </span> </div> <script>var base_url = '.';</script> <script src="js/theme.js" defer></script> <script defer> window.onload = function () { SphinxRtdTheme.Navigation.enable(false); }; </script> </body> </html>