From 25f6e1fbcca0453fb46dd605c47384cd49eb943f Mon Sep 17 00:00:00 2001 From: Franz <106810393+franzling@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:36:12 +0100 Subject: [PATCH 1/4] Update IncidentManagementOwnership.yaml --- .../Ownership/IncidentManagementOwnership.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/metrics/IncidentManagement/Ownership/IncidentManagementOwnership.yaml b/metrics/IncidentManagement/Ownership/IncidentManagementOwnership.yaml index 462c8854..a355b9bc 100644 --- a/metrics/IncidentManagement/Ownership/IncidentManagementOwnership.yaml +++ b/metrics/IncidentManagement/Ownership/IncidentManagementOwnership.yaml @@ -1,8 +1,15 @@ # ====== Metadata ====== id: IncidentManagementOwnership -description: TODO (Is this a security feature or just add it as resource?) +description: This rule assesses whether a [Policy] has the expected [p1:SecurityIncident.Team] set correctly. implementationGuidelines: - AMOE: "Which team is in charge of handling security incidents? Keywords are ['Incident Management', 'CERT']" + AMOE: + question: "Which team is in charge of handling security incidents?" + keywords: + [ + "Incident Management", + "CERT", + ] + category: IncidentManagement version: "1.0" comments: "" From a8889b9e7278d03b6ab3ad6312a95e1c06f75f69 Mon Sep 17 00:00:00 2001 From: Franz <106810393+franzling@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:42:17 +0100 Subject: [PATCH 2/4] Update metric.rego --- .../IncidentManagement/Ownership/metric.rego | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/metrics/IncidentManagement/Ownership/metric.rego b/metrics/IncidentManagement/Ownership/metric.rego index f87f5c14..400f99e0 100644 --- a/metrics/IncidentManagement/Ownership/metric.rego +++ b/metrics/IncidentManagement/Ownership/metric.rego @@ -1 +1,23 @@ -# TODO \ No newline at end of file +package cch.metrics.incident_management_policy01 + +import data.cch.compare +import rego.v1 +import input as document + +default applicable := false + +default compliant := false + +applicable if { + document +} + +compliant if { + document:SecurityIncident.Team in data.target_value +} + +message := "The document has set the incident management team." if { + compliant +} else := "The document has not set a valid incident management team." if { + not compliant +} From c2dd2b35bcd3961dfe63da6871e5448ea258ed25 Mon Sep 17 00:00:00 2001 From: Franz <106810393+franzling@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:54:10 +0100 Subject: [PATCH 3/4] use existing compare function --- metrics/IncidentManagement/Ownership/metric.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metrics/IncidentManagement/Ownership/metric.rego b/metrics/IncidentManagement/Ownership/metric.rego index 400f99e0..75bd192e 100644 --- a/metrics/IncidentManagement/Ownership/metric.rego +++ b/metrics/IncidentManagement/Ownership/metric.rego @@ -13,7 +13,7 @@ applicable if { } compliant if { - document:SecurityIncident.Team in data.target_value + compare(data.operator, data.target_value, document:SecurityIncident.Team) } message := "The document has set the incident management team." if { From 385ab751d1e3dd8c01857d9a3364c6661ffdc74c Mon Sep 17 00:00:00 2001 From: Franz <106810393+franzling@users.noreply.github.com> Date: Tue, 2 Dec 2025 11:44:44 +0100 Subject: [PATCH 4/4] update description so it matches the others --- .../Ownership/IncidentManagementOwnership.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metrics/IncidentManagement/Ownership/IncidentManagementOwnership.yaml b/metrics/IncidentManagement/Ownership/IncidentManagementOwnership.yaml index a355b9bc..dc9ae82b 100644 --- a/metrics/IncidentManagement/Ownership/IncidentManagementOwnership.yaml +++ b/metrics/IncidentManagement/Ownership/IncidentManagementOwnership.yaml @@ -1,6 +1,6 @@ # ====== Metadata ====== id: IncidentManagementOwnership -description: This rule assesses whether a [Policy] has the expected [p1:SecurityIncident.Team] set correctly. +description: This rule assesses whether a [Resource] that has the property [SecurityIncident] set to Java, also has the property [p1:Team] correctly configured. implementationGuidelines: AMOE: question: "Which team is in charge of handling security incidents?"