OpenC2 Language Description Document Revision History Revision Date Description 1.0 - RC 08/22/2016 Version 1.0 -- Release Candidate TABLE OF CONTENTS 1. Introduction 1.1 Purpose 1.2 Scope 1.3 Intended Audience 1.4 Document Overview 2. Background 2.1 Design Principles 2.2 OpenC2 and Deployment Environments 3. OpenC2 Language 3.1 Overview 3.2 Abstract Syntax 3.2.1 Action 3.2.2 Target 3.2.3 Actuator 3.2.4 Specifiers 3.2.5 Modifiers 3.3 Actions 3.3.1 Actions that Gather and Convey Information 3.3.2 Actions that Control Permissions 3.3.3 Actions that Control Activities/Devices 3.3.4 Sensor-Related Actions 3.3.5 Effects-Based Actions 3.3.6 Response and Alert 3.4 Target Vocabulary 3.5 Actuator Vocabulary 3.6 Modifier Vocabulary 4. Example OpenC2 Usage 4.1 Actions that Gather and Convey Information 4.1.1 SCAN 4.1.2 LOCATE 4.1.3 QUERY 4.1.4 REPORT 4.1.5 GET 4.1.6 NOTIFY 4.2 Actions that Control Permissions 4.2.1 DENY 4.2.2 CONTAIN 4.2.3 ALLOW 4.3 Actions that Control Activities/Devices 4.3.1 START 4.3.2 STOP 4.3.3 RESTART 4.3.4 PAUSE 4.3.5 RESUME 4.3.6 CANCEL 4.3.7 SET 4.3.8 UPDATE 4.3.9 MOVE 4.3.10 REDIRECT 4.3.11 DELETE 4.3.12 SNAPSHOT 4.3.13 DETONATE 4.3.14 RESTORE 4.3.15 SAVE 4.3.16 MODIFY 4.3.17 THROTTLE 4.3.18 DELAY 4.3.19 SUBSTITUTE 4.3.20 COPY 4.3.21 SYNC 4.4 Sensor-Related Actions 4.4.1 DISTILL 4.4.2 AUGMENT 4.5 Effects-Based Actions 4.5.1 INVESTIGATE 4.5.2 MITIGATE 4.5.3 REMEDIATE 4.6 Response and Alert 4.6.1 RESPONSE 4.6.2 ALERT 5. Example OpenC2 Use Case: Mitigate Evil Domain Appendix A. Example OpenC2 Commands