ID: RS0002
Gather information about a threat that has triggered a security incident, its TTPs, and affected assets.
| ID | Name | Description |
|---|---|---|
| RA2001 | List victims of security alert | List victims of a security alert |
| RA2002 | List host vulnerabilities | Get information about a specific host existing vulnerabilities, or about vulnerabilities it had at a particular time in the past |
| RA2003 | Put compromised accounts on monitoring | Put (potentially) compromised accounts on monitoring |
| RA2101 | List hosts communicated with internal domain | List hosts communicated with an internal domain |
| RA2102 | List hosts communicated with internal IP | List hosts communicated with an internal IP address |
| RA2103 | List hosts communicated with internal URL | List hosts communicated with an internal URL |
| RA2104 | Analyse domain name | Analyse a domain name |
| RA2105 | Analyse IP | Analyse an IP address |
| RA2106 | Analyse uri | Analyse an URI |
| RA2107 | List hosts communicated by port | List hosts communicating by a specific port at the moment or at a particular time in the past |
| RA2108 | List hosts connected to VPN | List hosts connected to a VPN at the moment or at a particular time in the past |
| RA2109 | List hosts connected to intranet | List hosts connected to the internal network at the moment or at a particular time in the past |
| RA2110 | List data transferred | List the data that is being transferred at the moment or at a particular time in the past |
| RA2111 | Collect transferred data | Collect the data that is being transferred at the moment or at a particular time in the past |
| RA2112 | Identify transferred data | Identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value) |
| RA2113 | List hosts communicated with external domain | List hosts communicated with an external domain |
| RA2114 | List hosts communicated with external IP | List hosts communicated with an external IP address |
| RA2115 | List hosts communicated with external URL | List hosts communicated with an external URL |
| RA2116 | Find data transferred by content pattern | Find the data that is being transferred at the moment or at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA2117 | Analyse user-agent | Analyse an User-Agent request header for indications of suspicious activity |
| RA2118 | List Firewall rules | List firewall rules |
| RA2201 | List users opened email message | List users that have opened am email message |
| RA2202 | Collect email message | Collect an email message |
| RA2203 | List email message receivers | List receivers of a particular email message |
| RA2204 | Make sure email message is phishing | Make sure that an email message is a phishing attack |
| RA2205 | Extract observables from email message | Extract observables from an email message |
| RA2206 | Analyse email address | Analyse an email address |
| RA2301 | List files created | List files that have been created at a particular time in the past |
| RA2302 | List files modified | List files that have been modified at a particular time in the past |
| RA2303 | List files deleted | List files that have been deleted at a particular time in the past |
| RA2304 | List files downloaded | List files that have been downloaded at a particular time in the past |
| RA2305 | List files with tampered timestamps | List files with tampered timestamps |
| RA2306 | Find file by path | Find a file by its path (including its name) |
| RA2307 | Find file by metadata | Find a file by its metadata (i.e. signature, permissions, MAC times) |
| RA2308 | Find file by hash | Find a file by its hash |
| RA2309 | Find file by format | Find a file by its format |
| RA2310 | Find file by content pattern | Find a file by its content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA2311 | Collect file | Collect a specific file from a (remote) host or a system |
| RA2312 | Analyse file hash | Analise a hash of a file |
| RA2313 | Analyse Windows PE | Analise MS Windows Portable Executable |
| RA2314 | Analyse macos macho | Analise macOS Mach-O |
| RA2315 | Analyse Unix ELF | Analise Unix ELF |
| RA2316 | Analyse MS office file | Analise MS Office file |
| RA2317 | Analyse PDF file | Analise PDF file |
| RA2318 | Analyse script | Analyse a script file (i.e. Python, PowerShell, Bash scripts etc) |
| RA2319 | Analyse jar | Analyse a JAR file |
| RA2320 | Analyse filename | Analyse a filename |
| RA2401 | List processes executed | List processes being executed at the moment or at a particular time in the past |
| RA2402 | Find process by executable path | Find a process that is being executed at the moment or at a particular time in the past by its executable path (including its name) |
| RA2403 | Find process by executable metadata | Find a process that is being executed at the moment or at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times) |
| RA2404 | Find process by executable hash | Find a process that is being executed at the moment or at a particular time in the past by its executable hash |
| RA2405 | Find process by executable format | Find a process that is being executed at the moment or at a particular time in the past by its executable format |
| RA2406 | Find process by executable content pattern | Find a process that is being executed at the moment or at a particular time in the past by its executable content (i.e. specific string, keyword, binary pattern etc) |
| RA2501 | List registry keys modified | List registry keys modified at a particular time in the past |
| RA2502 | List registry keys deleted | List registry keys that have been deleted at a particular time in the past |
| RA2503 | List registry keys accessed | List registry keys that have been accessed at a particular time in the past |
| RA2504 | List registry keys created | List registry keys that have been created at a particular time in the past |
| RA2505 | List services created | List services that have been created at a particular time in the past |
| RA2506 | List services modified | List services that have been modified at a particular time in the past |
| RA2507 | List services deleted | List services that have been deleted at a particular time in the past |
| RA2508 | Analyse registry key | Analyse a registry key |
| RA2601 | List users authenticated | List users authenticated at a particular time in the past on a particular system |
| RA2602 | List user accounts | List user accounts on a particular system |