Security Orchestration: CACAO Playbooks

Overview#

Argus implements CACAO v2.0 (Collaborative Automated Course of Action Operations), the OASIS standard for describing and sharing cybersecurity playbooks. CACAO playbooks define structured response workflows -- from initial triage through containment and recovery -- as machine-readable JSON that can be imported, stored, executed, and shared across organisations. Argus adds OpenC2 command execution support, allowing CACAO workflow steps to trigger automated response actions against connected security tools.

Key Features#

CACAO v2.0 Playbook Import#

Submit CACAO playbooks as JSON via the

importCacaoPlaybook

mutation. The service validates the document structure against the CACAO v2.0 schema, parses playbook metadata (name, description, type, created, modified, playbook variables), and persists the canonical JSON alongside extracted metadata to PostgreSQL. Invalid playbooks are rejected with structured validation errors before any storage occurs.

OpenC2 Command Execution#

CACAO workflow steps of type

action

with an OpenC2 command target can be executed directly from Argus via the

OpenC2Client

. This enables automated responses -- blocking an IP on a firewall, isolating a host, or revoking a session token -- triggered by CACAO step execution without manual intervention. OpenC2 actuator endpoints are configured per organisation.

CACAO Bundle Export#

Export stored playbooks as standards-compliant CACAO v2.0 JSON bundles via the

exportCacaoPlaybook

mutation. The

build_cacao_export

adapter serialises the stored playbook record back to the CACAO format, ready for sharing with partner organisations via MISP, STIX bundles, or direct exchange. Each export is logged as an interop export audit event.

Clearance-Filtered Playbook Listing#

The playbook inventory enforces row-level secrecy filtering so that playbooks tagged SECRET or above are invisible to analysts with lower clearance. This allows a shared playbook library to contain response procedures across multiple classification levels, each visible only to cleared personnel.

Playbook Status and Versioning#

Playbooks carry status metadata (draft, verified, deprecated), version strings, and author information from the CACAO specification. The listing query supports filtering by status to separate production-ready playbooks from drafts under review.

Use Cases#

Ransomware Response Automation: Import a CACAO playbook defining ransomware containment steps and use OpenC2 execution to automatically isolate confirmed infected hosts the moment an indication is confirmed.
Intel-Driven Response: Link a CACAO playbook to a Sigma rule or MISP indicator set -- when a detection fires, the associated playbook provides the verified response procedure for the analyst to execute or automate.
Cross-Agency Playbook Sharing: Export verified incident response playbooks as CACAO bundles and share with partner CERTs or allied organisations in a machine-readable format they can import into their own platforms.
Compliance Exercise Automation: Run tabletop exercises using CACAO playbooks with OpenC2 execution against sandbox environments to validate response procedures before operational use.

Integration#

Available via GraphQL with queries for playbook listing and statistics, and mutations for import, export, step execution, and schema validation. All operations require authentication and organisation scoping.

Implements OASIS CACAO v2.0 specification. OpenC2 command execution follows the OpenC2 Language Specification v1.0. Works alongside the Playbooks domain (for Argus-native playbooks), MISP and STIX integrations (for intelligence-linked response), and the Sigma rules engine (for detection-triggered playbook activation).

Last Reviewed: 2026-03-18

Metadados do modulo

Documentacao renderizada