Files
awoooi/docs/security/external-host-intrusion-prevention-control.snapshot.json
Your Name 5820ca90cc
Some checks failed
CD Pipeline / tests (push) Successful in 1m45s
Code Review / ai-code-review (push) Successful in 14s
CD Pipeline / build-and-deploy (push) Successful in 17m44s
CD Pipeline / post-deploy-checks (push) Has been cancelled
feat(iwooos): 新增外部入侵主機防堵控制
2026-06-18 10:24:33 +08:00

3520 lines
114 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"control_candidates": [
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:public_gateway_freeze_diff",
"control_tier": "C0",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "公開入口 / Nginx 變更 freeze 與 source-to-live diff",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "public_ingress_gateway",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": true,
"requires_config_diff_refs": true,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": false,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": false,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "public-gateway",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:ssh_sudo_access_lockdown",
"control_tier": "C0",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "SSH / sudo / authorized_keys / known_hosts 存取收斂",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "ssh_sudo_access",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": true,
"requires_config_diff_refs": true,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": true,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": true,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "ssh-sudo-access",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:firewall_port_baseline_guard",
"control_tier": "C0",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "端口 / 防火牆 / WireGuard / NodePort baseline",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "firewall_network_policy",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": true,
"requires_config_diff_refs": true,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": true,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": true,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "firewall-port-baseline",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:host_service_persistence_baseline",
"control_tier": "C0",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "Docker / systemd / process / persistence baseline",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "host_runtime_services",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": true,
"requires_config_diff_refs": true,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": true,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": true,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "host-service-persistence",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:k8s_argocd_drift_containment",
"control_tier": "C0",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "K8s / ArgoCD drift、RBAC 與 Secret metadata containment",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "k8s_gitops_runtime",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": true,
"requires_config_diff_refs": true,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": false,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": false,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "k8s-argocd-drift",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:runner_workflow_secret_freeze",
"control_tier": "C0",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "Runner / workflow / deploy key / secret freeze",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "runner_workflow_supply_chain",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": true,
"requires_config_diff_refs": true,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": true,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": true,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "runner-workflow-secret-freeze",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:credential_exposure_rotation_gate",
"control_tier": "C0",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "疑似 credential exposure 的輪替決策 gate",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "secret_credential_exposure",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": true,
"requires_config_diff_refs": true,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": true,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": true,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "credential-exposure",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:wazuh_event_triage_gate",
"control_tier": "C0",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "Wazuh event triage 與事件分流 gate",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "wazuh_detection_response",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": true,
"requires_config_diff_refs": false,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": false,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": true,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "wazuh-event-triage",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:wazuh_active_response_dry_run",
"control_tier": "C0",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "Wazuh active response dry-run / blast radius / rollback",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "wazuh_detection_response",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": true,
"requires_config_diff_refs": false,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": true,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": true,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "wazuh-active-response-dry-run",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:backup_restore_recovery_gate",
"control_tier": "C0",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "Backup / restore / rollback 可用性防堵 gate",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "backup_restore_resilience",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": true,
"requires_config_diff_refs": false,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": false,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": false,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "backup-restore-recovery",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:package_patch_window",
"control_tier": "C1",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "套件更新 / CVE 修補維護窗口候選",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "package_patch_vulnerability",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": false,
"requires_config_diff_refs": false,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": false,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": false,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "package-patch-window",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:public_runtime_auth_route_guard",
"control_tier": "C1",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "公開 / 後台 / API runtime auth 與 route guard",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "public_ingress_gateway",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": false,
"requires_config_diff_refs": true,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": false,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": false,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "public-runtime-auth-route",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:monitoring_no_false_green_gate",
"control_tier": "C1",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "監控 / 告警 / route 200 no-false-green gate",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "monitoring_alerting_false_green",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": false,
"requires_config_diff_refs": false,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": false,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": false,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "monitoring-no-false-green",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
},
{
"action_buttons_allowed": false,
"blocked_actions": [
"ssh_read",
"ssh_write",
"sudo_action",
"host_file_read",
"host_file_write",
"host_live_config_read",
"iptables_change",
"ufw_change",
"firewall_drop",
"firewall_allow",
"port_close",
"port_open",
"wireguard_change",
"nodeport_change",
"network_policy_apply",
"nginx_test",
"nginx_reload",
"nginx_conf_write",
"certbot_renew",
"dns_record_change",
"route_change",
"upstream_change",
"websocket_route_change",
"docker_restart",
"docker_kill",
"docker_compose_up",
"docker_compose_down",
"systemctl_restart",
"systemctl_stop",
"systemctl_start",
"kill_process",
"quarantine_host",
"reboot_host",
"apt_update",
"apt_upgrade",
"package_install",
"kernel_upgrade",
"wazuh_active_response_enable",
"wazuh_agent_install",
"wazuh_agent_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"wazuh_api_live_query_without_owner_gate",
"argocd_sync",
"kubectl_apply",
"kubectl_delete",
"helm_upgrade",
"rbac_change",
"k8s_secret_change",
"workflow_modification",
"gitea_action_dispatch",
"runner_label_change",
"runner_config_change",
"deploy_key_change",
"webhook_change",
"repo_secret_change",
"secret_rotation",
"secret_store_read",
"collect_password",
"collect_private_key",
"collect_runner_token",
"collect_webhook_secret",
"collect_cookie_or_session",
"collect_env_dump",
"store_raw_wazuh_payload",
"store_raw_syslog",
"store_raw_journal",
"store_raw_command_output",
"store_unredacted_screenshot",
"active_scan",
"credentialed_scan",
"exploit_validation",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"retention_change",
"database_migration",
"production_write",
"add_action_button",
"open_runtime_gate",
"force_push"
],
"config_diff_refs": [],
"control_id": "external_host_prevention:cross_project_break_glass_sync",
"control_tier": "C1",
"cross_project_sync_ref": null,
"followup_owner": "pending_owner_response",
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"host_forensic_refs": [],
"label": "跨專案 freeze、break-glass 與 operator sync",
"maintenance_window": "pending_owner_response",
"not_authorization": true,
"outcome_lanes": [
"waiting_owner_prevention_packet",
"request_wazuh_event_supplement",
"request_host_forensics_supplement",
"request_config_diff_supplement",
"request_maintenance_window",
"request_break_glass_record",
"quarantine_secret_or_raw_payload",
"reject_claim_without_evidence",
"route_to_high_value_config_gate",
"ready_for_prevention_reviewer_review",
"waiting_runtime_authorization",
"blocked_no_rollback_or_postcheck"
],
"owner_role": "pending_owner_response",
"owner_team": "pending_owner_response",
"postcheck_ref": null,
"prevention_domain": "cross_project_freeze_sync",
"priority": "P0",
"redacted_evidence_refs": [],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"requires_break_glass_record": false,
"requires_config_diff_refs": false,
"requires_cross_project_sync": true,
"requires_host_forensics_refs": false,
"requires_maintenance_window": true,
"requires_owner_approval": true,
"requires_rollback_plan": true,
"requires_validation_plan": true,
"requires_wazuh_event_refs": false,
"reviewer_checks": [
"scope_alias_only",
"owner_role_and_team_present",
"decision_and_reason_present",
"wazuh_event_refs_required_for_intrusion",
"host_forensic_refs_required",
"gateway_diff_required",
"firewall_before_after_required",
"ssh_sudo_scope_required",
"runner_workflow_diff_required",
"secret_values_absent",
"raw_payload_absent",
"maintenance_window_required",
"rollback_owner_required",
"validation_metrics_required",
"cross_project_sync_required",
"no_false_green",
"external_agent_claim_not_trusted",
"active_response_dry_run_first",
"firewall_change_break_glass_only",
"host_service_write_blocked",
"k8s_argocd_write_blocked",
"backup_restore_not_assumed",
"credential_rotation_requires_decision",
"package_upgrade_requires_window",
"public_frontend_no_internal_transcript",
"production_write_stays_zero",
"evidence_refs_redacted",
"parallel_session_conflict_checked",
"service_dependency_map_present",
"operator_notification_present",
"postcheck_independent",
"recurrence_guard_present",
"expiry_or_review_date_present",
"counts_transition_safe"
],
"reviewer_outcome": "waiting_prevention_reviewer_review",
"rollback_owner": "pending_owner_response",
"runtime_gate": false,
"scope_alias": "cross-project-break-glass-sync",
"sensor_aliases": [
"sensor-kali-112"
],
"status": "waiting_owner_prevention_packet",
"validation_metric_refs": [],
"wazuh_event_refs": []
}
],
"execution_boundaries": {
"action_buttons_allowed": false,
"active_scan_authorized": false,
"argocd_sync_authorized": false,
"backup_run_authorized": false,
"certbot_renew_authorized": false,
"dns_tls_change_authorized": false,
"docker_restart_authorized": false,
"firewall_change_authorized": false,
"frontend_internal_transcript_display_allowed": false,
"host_isolation_authorized": false,
"host_live_config_read_authorized": false,
"host_read_authorized": false,
"host_write_authorized": false,
"kubectl_action_authorized": false,
"nginx_reload_authorized": false,
"nginx_test_authorized": false,
"not_authorization": true,
"package_upgrade_authorized": false,
"port_close_authorized": false,
"port_open_authorized": false,
"process_kill_authorized": false,
"production_write_authorized": false,
"raw_payload_storage_allowed": false,
"reboot_authorized": false,
"repo_secret_change_authorized": false,
"restore_run_authorized": false,
"runner_change_authorized": false,
"runtime_execution_authorized": false,
"secret_rotation_authorized": false,
"secret_value_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"sudo_action_authorized": false,
"systemctl_restart_authorized": false,
"wazuh_active_response_authorized": false,
"wazuh_api_live_query_authorized": false,
"wazuh_rule_change_authorized": false,
"workflow_modification_authorized": false
},
"generated_at": "2026-06-18T15:30:00+08:00",
"git_commit": "efde1097",
"mode": "control_matrix_only_no_host_write_no_firewall_change_no_active_response",
"operator_interpretation": [
"這份矩陣把外部入侵防堵前移成 P0 控制候選,但不是 host write 或 firewall change 授權。",
"IwoooS 先拒收假綠燈route 200、dashboard up、CD success、UI 可見、agent active 或外部 Agent 宣稱都不能單獨當成已防堵。",
"真正能進 runtime 的防堵需 owner role / team、decision reason、維護窗口、rollback owner、validation metrics、postcheck 與跨專案同步。",
"前台只能顯示 alias、候選數、缺口與 0/false 邊界,不顯示內網 IP、帳號 namespace、raw log、secret 或工作視窗內容。"
],
"outcome_lanes": [
{
"lane_id": "waiting_owner_prevention_packet",
"meaning": "防堵候選已建立,等待 owner 補齊欄位與脫敏證據。"
},
{
"lane_id": "request_wazuh_event_supplement",
"meaning": "缺 Wazuh event / alert refs 時要求補件。"
},
{
"lane_id": "request_host_forensics_supplement",
"meaning": "缺主機鑑識 refs 時要求補件。"
},
{
"lane_id": "request_config_diff_supplement",
"meaning": "缺 Nginx、firewall、runner、workflow、K8s 或 secret metadata diff 時要求補件。"
},
{
"lane_id": "request_maintenance_window",
"meaning": "涉及服務中斷、重啟、封鎖、更新或 active response 時要求維護窗口。"
},
{
"lane_id": "request_break_glass_record",
"meaning": "即時封鎖或緊急變更需補 break-glass reason 與通知紀錄。"
},
{
"lane_id": "quarantine_secret_or_raw_payload",
"meaning": "收到 secret、raw log、raw payload、env dump 或未脫敏截圖時隔離。"
},
{
"lane_id": "reject_claim_without_evidence",
"meaning": "只有外部宣稱、route 200、dashboard up 或 agent active 時拒收。"
},
{
"lane_id": "route_to_high_value_config_gate",
"meaning": "涉及高價值配置時串到既有配置控管 gate。"
},
{
"lane_id": "ready_for_prevention_reviewer_review",
"meaning": "metadata 合格後進 reviewer review不自動執行。"
},
{
"lane_id": "waiting_runtime_authorization",
"meaning": "即使 accepted也需獨立批准才可進 runtime 防堵。"
},
{
"lane_id": "blocked_no_rollback_or_postcheck",
"meaning": "缺 rollback owner、validation 或 postcheck 時不得進下一關。"
}
],
"prevention_domains": [
{
"control_tier": "C0",
"domain_id": "public_ingress_gateway",
"immediate_risk": "未受控 reload、route drift、上游錯配或 TLS / ACME 變更會造成外部暴露或服務中斷。",
"label": "公開入口 / DNS / TLS / Nginx / public gateway"
},
{
"control_tier": "C0",
"domain_id": "ssh_sudo_access",
"immediate_risk": "未受控登入、sudo 權限、host key 漂移或跳板憑證會擴大入侵面。",
"label": "SSH / sudo / authorized_keys / known_hosts"
},
{
"control_tier": "C0",
"domain_id": "firewall_network_policy",
"immediate_risk": "端口開關、內網路由、NodePort 或 NetworkPolicy 漂移會直接改變可攻擊面。",
"label": "Firewall / WireGuard / NodePort / NetworkPolicy"
},
{
"control_tier": "C0",
"domain_id": "host_runtime_services",
"immediate_risk": "容器重啟、failed unit、未知 process、port binding 或 persistence 會影響服務與入侵駐留判讀。",
"label": "Docker / systemd / process / port binding"
},
{
"control_tier": "C0",
"domain_id": "k8s_gitops_runtime",
"immediate_risk": "GitOps drift、RBAC / Secret metadata、image pull 或 pending workload 可能隱藏惡意部署與供應鏈變更。",
"label": "K8s / ArgoCD / RBAC / Secret metadata"
},
{
"control_tier": "C0",
"domain_id": "runner_workflow_supply_chain",
"immediate_risk": "runner、workflow、deploy key 或 webhook 被改動會直接打開 production 寫入路徑。",
"label": "Gitea runner / workflow / deploy key / webhook"
},
{
"control_tier": "C0",
"domain_id": "secret_credential_exposure",
"immediate_risk": "secret、session、API token 或 env dump 外洩會讓修復失效並擴散到其他產品。",
"label": "Secret / session / API token / credential hygiene"
},
{
"control_tier": "C0",
"domain_id": "wazuh_detection_response",
"immediate_risk": "偵測與 response 邊界不清會造成假綠燈、誤隔離、漏封鎖或錯信外部宣稱。",
"label": "Wazuh manager / agent / rule / active response"
},
{
"control_tier": "C1",
"domain_id": "package_patch_vulnerability",
"immediate_risk": "未修補套件與服務版本過舊會保留可利用入口,但無維護窗口直接升級也會造成中斷。",
"label": "套件更新 / CVE / maintenance window"
},
{
"control_tier": "C1",
"domain_id": "backup_restore_resilience",
"immediate_risk": "沒有可驗證 restore 與 rollback入侵後清除、重建與服務恢復都沒有可信退路。",
"label": "Backup / restore / offsite / escrow / rollback"
},
{
"control_tier": "C1",
"domain_id": "monitoring_alerting_false_green",
"immediate_risk": "route 200、dashboard up 或 alert quiet 若被當成資安通過,會掩蓋持久化與告警失效。",
"label": "Monitoring / alerting / no-false-green"
},
{
"control_tier": "C1",
"domain_id": "cross_project_freeze_sync",
"immediate_risk": "多 session 或多專案並行修改會造成重複修復、rebase 衝突、錯誤 reload 或未同步封鎖。",
"label": "跨專案 freeze / operator sync / break-glass"
}
],
"required_owner_fields": [
"control_id",
"owner_role",
"owner_team",
"decision",
"decision_reason",
"affected_scope_aliases",
"exposed_surface_aliases",
"current_risk",
"immediate_harm_if_delayed",
"redacted_evidence_refs",
"wazuh_event_refs",
"host_forensic_refs",
"config_diff_refs",
"before_state_ref",
"after_state_ref",
"maintenance_window",
"break_glass_reason",
"rollback_owner",
"rollback_plan_ref",
"validation_metrics",
"postcheck_owner",
"postcheck_ref",
"cross_project_sync_ref",
"communication_channel",
"secret_value_absence_attestation",
"raw_payload_absence_attestation",
"no_internal_name_publication_attestation",
"no_false_green_attestation",
"service_impact_assessment",
"ai_provider_impact_assessment",
"monitoring_alert_impact_assessment",
"backup_restore_impact_assessment",
"recurrence_guard_ref",
"followup_owner",
"expiry_or_review_date",
"reviewer_attestation"
],
"reviewer_checks": [
{
"check_id": "scope_alias_only",
"instruction": "只接受 host alias、service alias、product alias不得公開內網 IP、帳號 namespace 或 repo owner 原名。"
},
{
"check_id": "owner_role_and_team_present",
"instruction": "每個防堵候選都需要 owner role / team不能匿名批准。"
},
{
"check_id": "decision_and_reason_present",
"instruction": "需要明確 decision 與 decision reason不得只寫批准或已處理。"
},
{
"check_id": "wazuh_event_refs_required_for_intrusion",
"instruction": "主機入侵、惡意程式或 RCE 類候選必須有 Wazuh event refs。"
},
{
"check_id": "host_forensic_refs_required",
"instruction": "需要 auth、process、network、FIM、package 或 persistence refs服務恢復不能取代鑑識。"
},
{
"check_id": "gateway_diff_required",
"instruction": "公開入口、Nginx、TLS、route 或 upstream 變更需有 source-to-live diff refs。"
},
{
"check_id": "firewall_before_after_required",
"instruction": "端口、防火牆、WireGuard、NodePort 或 NetworkPolicy 需有 before / after state。"
},
{
"check_id": "ssh_sudo_scope_required",
"instruction": "SSH、sudo、deploy key 或 known_hosts 需標示範圍與回滾 owner。"
},
{
"check_id": "runner_workflow_diff_required",
"instruction": "runner、workflow、webhook 或 deploy key 需有 diff、run ref、permission scope 與 workspace cleanup。"
},
{
"check_id": "secret_values_absent",
"instruction": "不得收 secret value、hash、partial token、cookie、env dump、private key 或 runner token。"
},
{
"check_id": "raw_payload_absent",
"instruction": "不得保存 raw Wazuh payload、raw log、raw journal、完整命令輸出或未脫敏截圖。"
},
{
"check_id": "maintenance_window_required",
"instruction": "任何可能中斷服務的防堵都需要 maintenance window。"
},
{
"check_id": "rollback_owner_required",
"instruction": "任何 host、gateway、firewall、runner、K8s 或 secret 相關候選都需要 rollback owner。"
},
{
"check_id": "validation_metrics_required",
"instruction": "防堵後驗證需列 route、API、agent、alert、backup 或 service health 指標。"
},
{
"check_id": "cross_project_sync_required",
"instruction": "影響 AWOOOI、AwoooP、IwoooS、VibeWork、agent-bounty-protocol、stock 或監控需有同步 ref。"
},
{
"check_id": "no_false_green",
"instruction": "route 200、dashboard up、agent active、CD success、UI 可見都不能單獨當資安驗收。"
},
{
"check_id": "external_agent_claim_not_trusted",
"instruction": "外部 Agent 宣稱已封鎖、清除或 Zero-Trust 不能直接 accepted。"
},
{
"check_id": "active_response_dry_run_first",
"instruction": "Wazuh active response 必須先 dry-run、驗證 blast radius 與 rollback不得直接 production enable。"
},
{
"check_id": "firewall_change_break_glass_only",
"instruction": "firewall drop、port close/open 需 break-glass 或 maintenance window不得由候選自動執行。"
},
{
"check_id": "host_service_write_blocked",
"instruction": "不得由本 artifact 觸發 Docker、systemd、kill process、package upgrade 或 reboot。"
},
{
"check_id": "k8s_argocd_write_blocked",
"instruction": "不得由本 artifact 觸發 ArgoCD sync、kubectl、Helm、NetworkPolicy 或 RBAC apply。"
},
{
"check_id": "backup_restore_not_assumed",
"instruction": "備份存在、冷啟動分數或 UI 可見不能代表 restore / rollback 可用。"
},
{
"check_id": "credential_rotation_requires_decision",
"instruction": "credential rotation 需 owner decision、blast radius、dependent services 與 rollback plan。"
},
{
"check_id": "package_upgrade_requires_window",
"instruction": "套件更新、kernel、Docker、Nginx、Wazuh agent 或 Kali 更新需維護窗口與 postcheck。"
},
{
"check_id": "public_frontend_no_internal_transcript",
"instruction": "前台不得顯示工作視窗、內部對話、抱怨、raw namespace 或截圖原文。"
},
{
"check_id": "production_write_stays_zero",
"instruction": "防堵矩陣不是 production write 授權runtime gate 與 action button 必須維持 0。"
},
{
"check_id": "evidence_refs_redacted",
"instruction": "只收脫敏 ref、ticket、artifact pointer不得貼 raw secret 或 raw payload。"
},
{
"check_id": "parallel_session_conflict_checked",
"instruction": "需確認其他 session 是否正在操作同一主機、Nginx、runner、workflow 或 secret。"
},
{
"check_id": "service_dependency_map_present",
"instruction": "端口、gateway、host service 或 AI provider 變更需列服務依賴與受影響產品 alias。"
},
{
"check_id": "operator_notification_present",
"instruction": "即時危害或可能中斷的防堵需有 operator notification / receipt plan。"
},
{
"check_id": "postcheck_independent",
"instruction": "postcheck 必須由獨立於操作人的 reviewer 或 automation readback 驗證。"
},
{
"check_id": "recurrence_guard_present",
"instruction": "需補防再發 guard例如 config drift、runner freeze、secret hygiene、Wazuh rule coverage 或 firewall diff guard。"
},
{
"check_id": "expiry_or_review_date_present",
"instruction": "臨時 freeze、break-glass 或例外需有到期或複審日期。"
},
{
"check_id": "counts_transition_safe",
"instruction": "received / accepted / authorized / executed / allowed 類計數只能由正式驗收推進。"
}
],
"schema_version": "external_host_intrusion_prevention_control_v1",
"source_context": {
"external_agent_claim_accepted_without_evidence": false,
"host_aliases": [
"host-110",
"host-188",
"dev-host-111",
"dev-host-168"
],
"raw_ip_or_account_namespace_published_to_frontend": false,
"runtime_prevention_enabled": false,
"sensor_aliases": [
"sensor-kali-112"
],
"work_session_transcript_published_to_frontend": false
},
"status": "external_host_intrusion_prevention_control_ready_no_runtime_action",
"summary": {
"action_button_count": 0,
"active_scan_authorized_count": 0,
"argocd_sync_authorized_count": 0,
"backup_restore_required_candidate_count": 1,
"blocked_action_count": 82,
"break_glass_required_candidate_count": 10,
"c0_control_candidate_count": 10,
"c1_control_candidate_count": 4,
"config_diff_required_candidate_count": 8,
"containment_decision_accepted_count": 0,
"control_candidate_count": 14,
"coverage_percent_after_prevention_control": 74,
"cross_project_sync_required_candidate_count": 14,
"docker_compose_systemd_host_config_coverage_percent_after_prevention_control": 68,
"docker_restart_authorized_count": 0,
"evidence_ref_accepted_count": 0,
"evidence_ref_received_count": 0,
"firewall_change_authorized_count": 0,
"host_alias_count": 4,
"host_forensics_required_candidate_count": 6,
"host_write_authorized_count": 0,
"maintenance_window_accepted_count": 0,
"maintenance_window_required_candidate_count": 14,
"monitoring_alerting_observability_coverage_percent_after_prevention_control": 74,
"nginx_reload_authorized_count": 0,
"no_false_green_required_candidate_count": 14,
"outcome_lane_count": 12,
"owner_approval_required_candidate_count": 14,
"owner_response_accepted_count": 0,
"owner_response_received_count": 0,
"p0_control_candidate_count": 14,
"package_upgrade_authorized_count": 0,
"postcheck_accepted_count": 0,
"prevention_control_accepted_count": 0,
"prevention_domain_count": 12,
"production_write_authorized_count": 0,
"repo_secret_change_authorized_count": 0,
"required_owner_field_count": 36,
"reviewer_check_count": 34,
"rollback_plan_accepted_count": 0,
"rollback_required_candidate_count": 14,
"runner_change_authorized_count": 0,
"runtime_gate_count": 0,
"secret_value_collection_allowed_count": 0,
"sensor_alias_count": 1,
"ssh_firewall_network_access_coverage_percent_after_prevention_control": 70,
"ssh_write_authorized_count": 0,
"systemctl_restart_authorized_count": 0,
"urgent_prevention_candidate_count": 14,
"validation_required_candidate_count": 14,
"wazuh_active_response_enabled_count": 0,
"wazuh_event_required_candidate_count": 7,
"workflow_modification_authorized_count": 0
}
}