Course of Action Entities

Similar to Attack Patterns, Course of Action entities are borrowed from STIX. In the same way, the STIX definition serves the purpose of the CTIM: an action taken either to prevent an attack or to respond to an attack that is in progress.

To serve this purpose, Course of Action entities are contextualized by the attack that they mitigate. A Course of Action without this context is like a solution without a problem: it is nonsensical. This context occurs via a relationship with type "mitigates" to an attack pattern, incident, malware, or tool.

Course of Action Field Summary

• id - Globally unique URI identifying this object.
• schema_version - CTIM schema version for this entity.
• type - A string "course-of-action".
• valid_time - Must include a start_time datetime string, and may include an optional end_time, which must not be later than "2525-01-01:00:00:00.000Z". See below for examples.

Course of Action Example

{
    "description":"Set and enforce secure password policies for accounts.",
    "valid_time":{
        "start_time":"2020-05-29T17:13:35.467Z",
        "end_time":"2525-01-01T00:00:00.000Z"
    },
    "schema_version":"1.1.3",
    "type":"coa",
    "source":"Modeling Threat Intelligence in CTIM Tutorial",
    "external_ids":[
        "ctim-tutorial-course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485"
    ],
    "title":"Password Policies",
    "external_references":[
        {
            "source_name":"mitre-attack",
            "url":"https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md",
            "external_id":"M1027"
        }
    ],
    "source_uri":"https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md",
    "id":"transient:ctim-tutorial-coa-36dd66b0-8be0-419d-8418-3b8b448e4995",
    "timestamp":"2022-10-21T15:52:23.327Z"
}