OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Meeting minutes - STIX COA mini group call

Hi,

Thanks to the folks who could join the call today. Below are some notes I captured. Please feel free to chime in if I missed out on anything. Also please point out if you were dialed in and I missed your attendance.

Participants

Jyoti Verma, Sam Zargar, Allan Thomson, Ben Sooter, Bret Jordan, Christian Hunt, Gary, Ivan Kirillov, John-Mark, John Wunder, Michael K, Sarah Kelley, Stefan Hagen, Jeff

 

Agenda:

1) How do we document manual / process based COAs

2) Should the STIX COA support multiple actions in the same object?

3) Should the STIX COA support time based sequencing?

4) Call out and define where the line is between COA and a future Playbook object

5) How should STIX COA work with and make use of automated actions like OpenC2?

 

Notes:

How do we document manual / process based COAs?

  1. There was consensus that the "description field" should be used for a high level description of the manual/process based COA - it should not be used to specify the type of the COA
  2. A separate property could be used to call out the type of COA followed by the actual COA block

 

 Should the STIX COA support multiple actions in the same object?

  1.  A COA could support multiple actions with temporal sequencing but no conditional logic. Example,
    1. deny and log in that sequence.

 

Call out and define where the line is between COA and a future Playbook object

  1. Playbook should be used in cases where there is a need for conditional logic. Example, given a suspicious email, determine if it is a phish. If so, carry out mitigation and remediation steps.
  2. An indicator could point to a sequence of COAs or a playbook

 

Action Items:

  1. Share use cases and examples - Sarah, Gary, Jeff

 

Next Steps:

  1. Discuss use cases
  2. Should the STIX COA support time based sequencing?
  3.  How should STIX COA work with and make use of automated actions like OpenC2?
  4. Topics for F2F
  5. Define relationship types for COAs

 

Next meeting – Stay tuned.

 

Thanks,

Jyoti

Technical Leader
Office of the CTO, Security Business Group, Cisco Systems

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]