openc2-http action type is not recognized

[IceManGreen]

Overview

When using cacao roaster with a playbook that contains openc2-http command types, an error is raised from the GUI :

Example

You can test this error directly using the web tool and with the following playbook :

{
  "type": "playbook",
  "spec_version": "cacao-2.0",
  "id": "playbook--fe85f68d-1960-4596-96a2-228113e143cf",
  "name": "Bad MAC Address (OpenC2)",
  "description": "This playbook addresses a malicious MAC address using an OpenC2-HTTP command to block it on a network switch.",
  "playbook_processing_summary": {},
  "created_by": "identity--351b1469-64b4-4778-8d93-f7949a88990d",
  "created": "2023-02-19T01:09:00.000Z",
  "modified": "2023-02-19T01:09:00.000Z",
  "workflow_start": "start--fa16a4e9-e6b9-4658-b464-ca1632ff57f4",
  "workflow": {
    "start--fa16a4e9-e6b9-4658-b464-ca1632ff57f4": {
      "type": "start",
      "description": "Start playbook to block a malicious MAC address via OpenC2.",
      "on_completion": "action--6398eb05-3eb8-43f5-87d3-f24e07492a41"
    },
    "action--6398eb05-3eb8-43f5-87d3-f24e07492a41": {
      "type": "openc2-http",
      "command": "POST /api1/newObjects/ HTTP/1.1",
      "content_b64": "ewogICJoZWFkZXJzIjogewogICAgInJlcXVlc3RfaWQiOiAiZDFhYzA0ODktZWQ1MS00MzQ1LTkxNzUtZjMwNzhmMzBhZmU1IiwKICAgICJjcmVhdGVkIjogMTU0NTI1NzcwMDAwMCwKICAgICJmcm9tIjogIm9jMnByb2R1Y2VyLmNvbXBhbnkubmV0IiwKICAgICJ0byI6IFsKICAgICAgIm9jMmNvbnN1bWVyLmNvbXBhbnkubmV0IgogICAgXQogIH0sCiAgImJvZHkiOiB7CiAgICAib3BlbmMyIjogewogICAgICAicmVxdWVzdCI6IHsKICAgICAgICAiYWN0aW9uIjogImRlbnkiLAogICAgICAgICJ0YXJnZXQiOiB7CiAgICAgICAgICAiaXB2NF9jb25uZWN0aW9uIjogewogICAgICAgICAgICAicHJvdG9jb2wiOiAidGNwIiwKICAgICAgICAgICAgInNyY19hZGRyIjogIjEuMi4zLjQiLAogICAgICAgICAgICAic3JjX3BvcnQiOiAxMDk5NiwKICAgICAgICAgICAgImRzdF9hZGRyIjogIjE5OC4yLjMuNCIsCiAgICAgICAgICAgICJkc3RfcG9ydCI6IDgwCiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAiYXJncyI6IHsKICAgICAgICAgICJzdGFydF90aW1lIjogMTUzNDc3NTQ2MDAwMCwKICAgICAgICAgICJkdXJhdGlvbiI6IDUwMCwKICAgICAgICAgICJyZXNwb25zZV9yZXF1ZXN0ZWQiOiAiYWNrIiwKICAgICAgICAgICJzbHBmIjogewogICAgICAgICAgICAiZHJvcF9wcm9jZXNzIjogIm5vbmUiCiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAicHJvZmlsZSI6ICJzbHBmIgogICAgICB9CiAgICB9CiAgfQp9",
      "headers": {
        "Content-Type": [
          "application/openc2+json;version=1.0"
        ]
      }
    },
    "end--116cdac5-63f1-4d8f-b3a8-e5667936e9b6": {
      "type": "end",
      "description": "End of playbook after MAC address blocking command."
    }
  },
  "agent_definitions": {
    "individual--75baba7d-a198-4c5c-805c-af616b4f7a31": {
      "type": "individual",
      "name": "Network Admin",
      "description": "The admin who triggers the OpenC2 command to block the MAC address."
    }
  },
  "target_definitions": {
    "security-category--3c1daf98-7e22-4e0c-bb8c-6bd78159ca5d": {
      "type": "security-category",
      "name": "Network Switch",
      "category": [
        "switch"
      ],
      "description": "The target switch receiving the OpenC2 command."
    }
  }
}

The openc2-http command is directly taken from the specification documentation here :
https://docs.oasis-open.org/cacao/security-playbooks/v2.0/cs01/security-playbooks-v2.0-cs01.html#_Toc152256498

[IceManGreen]

Actually not an issue, it's coming from my misunderstanding of the standard format in JSON.

The correct playbook is the following :

{
  "type": "playbook",
  "spec_version": "cacao-2.0",
  "id": "playbook--fe85f68d-1960-4596-96a2-228113e143cf",
  "name": "Bad MAC Address (OpenC2)",
  "description": "This playbook addresses a malicious MAC address using an OpenC2-HTTP command to block it on a network switch.",
  "playbook_processing_summary": {},
  "created_by": "identity--351b1469-64b4-4778-8d93-f7949a88990d",
  "created": "2023-02-19T01:09:00.000Z",
  "modified": "2023-02-19T01:09:00.000Z",
  "workflow_start": "start--fa16a4e9-e6b9-4658-b464-ca1632ff57f4",
  "workflow": {
    "start--fa16a4e9-e6b9-4658-b464-ca1632ff57f4": {
      "type": "start",
      "description": "Start playbook to block a malicious MAC address via OpenC2.",
      "on_completion": "action--6398eb05-3eb8-43f5-87d3-f24e07492a41"
    },
    "action--6398eb05-3eb8-43f5-87d3-f24e07492a41": {
      "type": "action",
      "commands": [
        {
          "type": "openc2-http",
          "command": "POST /api1/newObjects/ HTTP/1.1",
          "content_b64": "ewogICJoZWFkZXJzIjogewogICAgInJlcXVlc3RfaWQiOiAiZDFhYzA0ODktZWQ1MS00MzQ1LTkxNzUtZjMwNzhmMzBhZmU1IiwKICAgICJjcmVhdGVkIjogMTU0NTI1NzcwMDAwMCwKICAgICJmcm9tIjogIm9jMnByb2R1Y2VyLmNvbXBhbnkubmV0IiwKICAgICJ0byI6IFsKICAgICAgIm9jMmNvbnN1bWVyLmNvbXBhbnkubmV0IgogICAgXQogIH0sCiAgImJvZHkiOiB7CiAgICAib3BlbmMyIjogewogICAgICAicmVxdWVzdCI6IHsKICAgICAgICAiYWN0aW9uIjogImRlbnkiLAogICAgICAgICJ0YXJnZXQiOiB7CiAgICAgICAgICAiaXB2NF9jb25uZWN0aW9uIjogewogICAgICAgICAgICAicHJvdG9jb2wiOiAidGNwIiwKICAgICAgICAgICAgInNyY19hZGRyIjogIjEuMi4zLjQiLAogICAgICAgICAgICAic3JjX3BvcnQiOiAxMDk5NiwKICAgICAgICAgICAgImRzdF9hZGRyIjogIjE5OC4yLjMuNCIsCiAgICAgICAgICAgICJkc3RfcG9ydCI6IDgwCiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAiYXJncyI6IHsKICAgICAgICAgICJzdGFydF90aW1lIjogMTUzNDc3NTQ2MDAwMCwKICAgICAgICAgICJkdXJhdGlvbiI6IDUwMCwKICAgICAgICAgICJyZXNwb25zZV9yZXF1ZXN0ZWQiOiAiYWNrIiwKICAgICAgICAgICJzbHBmIjogewogICAgICAgICAgICAiZHJvcF9wcm9jZXNzIjogIm5vbmUiCiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAicHJvZmlsZSI6ICJzbHBmIgogICAgICB9CiAgICB9CiAgfQp9",
          "headers": {
            "Content-Type": [
              "application/openc2+json;version=1.0"
            ]
          }
        }
      ],
      "on_completion": "end--116cdac5-63f1-4d8f-b3a8-e5667936e9b6"
    },
    "end--116cdac5-63f1-4d8f-b3a8-e5667936e9b6": {
      "type": "end",
      "description": "End of playbook after MAC address blocking command."
    }
  }
}