mblanke/Goose-Core
1
0
Fork 0
mirror of https://github.com/mblanke/Goose-Core.git synced 2026-03-01 14:10:22 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
a22d523087b0624bd525f4a9d9398a62119ed91f
Goose-Core/governance/ALERT_POLICY.md
mblanke f7e08d9ffb Add shared alert policy document 
This document outlines the shared alert policy, including definitions, creation rules, severity rules, ownership, visual rules, and non-goals for alerts.
2025-12-24 13:18:53 -05:00

1.2 KiB
Raw Blame History

Shared Alert Policy

This document defines when and how Alerts exist across the platform.

Definitions

Finding: An analytical result produced by analysis or execution.

Alert: A Finding that requires attention, acknowledgment, or action.

Alert Creation Rules

  • An Alert must always be derived from a Finding
  • A Finding may exist without becoming an Alert
  • Alerts are explicit, not implied
  • Alerts must have a defined reason for escalation

Severity Rules

  • Severity is assigned at Finding creation
  • Severity may be escalated once during Alert creation
  • Severity may not be downgraded after escalation
  • Severity meaning is defined in goose-core

Alert Ownership

  • ThreatHunt may suggest Alerts
  • GooseStrike may act on Alerts
  • Analysts approve or acknowledge Alerts
  • goose-core defines structure and semantics

Visual Rules

  • Alerts have higher visual emphasis than Findings
  • Alerts may use animation for initial attention
  • Alerts must not use persistent or looping animation
  • Visual treatment must align with severity

Non-Goals

  • Alerts are not automated actions
  • Alerts do not bypass analyst review
  • Alerts are not notifications by default

Alerts represent intent to act, not action itself.

Reference in New Issue View Git Blame Copy Permalink