Re: [cti-cybox] RE: CybOX use in COA WG

Ivan / Trey,

I noticed that on the object selection page, some of the objects below are not listed for inclusion in CybOX 3.0… could we look back into keeping at least some of the ones below that the COA working group is attempting to standardize on?

https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-Object-Selection

Thanks,

Alex

From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Foley, Alexander - GIS
Sent: Thursday, January 21, 2016 3:35 PM
To: cti-cybox@lists.oasis-open.org
Subject: [cti-cybox] CybOX use in COA WG

For those of you who haven’t been exposed to the COA working group we discussed at the F2F, I thought everyone might like to know that they’re exploring the use of CybOX objects where possible as the triggers for a course of action. Right now, these are the objects they’ve identified as potentially useful are:

· cybox:Network_Connection

· cybox:URI

· cybox:Device

· cybox:Process

· cybox:File

· cybox:User_Account

· cybox:User_Session

· cybox:Disk_Partition

· cybox:Windows_Service

Bolded items are rarely seen on the cti-stats page

Bolded red items have never been seen on the cti-stats page

These are the targets that they haven’t been able to locate objects for yet:

· Local system application (i.e. Block system application from executing)

· Suspicious internal user / endpoint (i.e Interior blocking ACL or 802.1x block / revoke)

· Virtual machine (i.e. Stop a VM)

If anyone is interested in furthering links between our TC and the COA working group, please don’t hesitate to let me know.

Alex

This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

cti-cybox message