mblanke/Goose-Core
1
0
Fork 0
mirror of https://github.com/mblanke/Goose-Core.git synced 2026-03-01 06:10:20 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
0fd429a5c85a39054dfd94bd0390dc2b92c83478
Goose-Core/contracts/FINDING_LIFECYCLE.md

902 B
Raw Blame History

Finding Lifecycle (Shared)

This defines how findings move across systems.

Lifecycle Stages

  1. Generated

    • Created by ThreatHunt analysis
    • Created by GooseStrike execution results

  2. Normalized

    • Must conform to shared Finding contract
    • Terminology and severity aligned

  3. Reviewed

    • Analyst inspects finding
    • Confidence assessed
    • Context added

  4. Escalated (Optional)

    • Finding becomes an Alert
    • Requires action or acknowledgment

  5. Consumed

    • Used by GooseStrike for planning
    • Used by analysts for reporting

Hard Rules

  • A Finding must exist before an Alert
  • Severity is immutable once escalated
  • All actions must trace back to a Finding
  • Findings are never deleted, only closed

Ownership

  • ThreatHunt owns analytical correctness
  • GooseStrike owns action traceability
  • goose-core owns structure and meaning
Reference in New Issue View Git Blame Copy Permalink