OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Event proposal updated

Hey all,

 

We spent some time on an editors call and cleaned up the Event object to match what we believe is current consensus regarding fields, properties, etc. As a reminder, per Sarah’s earlier e-mail there are a few things scoped out of the current proposal:

 

  • Alerts (e.g., from a SIEM)
  • MISP-style or other external events

 

Allan and Rich Struse are both spending time on that latter item…Rich is putting together a proposal for a “Collection” SDO that would capture it, while Allan is trying to see what would need to change in the Event SDO to capture it. But for now, assume that it’s out of scope for Event until Allan has that ready. The “alert” use case may be something we tackle in a later release.

 

We do have some other open questions, and things to confirm:

  1. Are the relationships to Course of Action correct, in terms of embedded vs. referenced? Right now we have:
    1. Courses of action that are taken are contained in the activity type, meaning you can link to the COA by ID and describe the result. So, these are directly embedded.
    2. Courses of action that are suggested or could be relevant are an external relationship
  2. We have three sets of properties that people have suggested we might want to exclude for Event in 2.1. Please review these and let us know whether they should be included or removed.
    1. coa_taken and collected_data (observed data)
    2. Financial impact
    3. Aliases
  3. There’s a list of “contacts”, such as who reported an event. Should those be links to Identity SDOs or, like Intel Note, should they just be strings? The thought here is that it might be a lot of identity SDOs if your responders are just usernames, for example.
  4. There were two sets of relationships that had a lot of semantic overlap and we had trouble writing up separate descriptions:
    1. Event had “exploits”, “targets”, and “impacts” relationships to Location and Identity. We consolidated that list to “targets”, but if people feel we need all three (or two of the three) they can be added back…the request though is that if you want them added back, you need to provide a good description for each one that lets us distinguish them.
    2. Course of action had “mitigates” and “contains” relationships to Event. We consolidated that list to “mitigates”, but have the same option to add it back IF people can describe how they’re different via text that we can put into the spec.
  5. Course of actions taken and collected data (observed data) were moved to Activity type, so you could provide a date and description for that. For example, you might describe that the observed data was collected from a specific host.
  6. All vocabularies need to be confirmed. They should be much cleaner and tighter than before though.

 

Current text is here: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.5ol9xlbbnrdn

 

Feedback can be provided over e-mail, Slack, or on the working call. Speaking of that, we’ll be talking about this, including the work Allan and Rich are doing, on the Tuesday call. Please try to attend if possible.

 

Thanks,

John

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]