Re: [cti-stix] [+1]'s

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

New
Under Investigation
Confirmed
Closed - False Positive
Closed - Resolved

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Jerome Athias ---11/10/2015 02:07:14 PM---That's a potential approach for Incident. Otherwise, what about "Under investigation" (for Opened) a

From: Jerome Athias <athiasjerome@gmail.com>
To: "Wunder, John A." <jwunder@mitre.org>
Cc: Jason Keirstead/CanEast/IBM@IBMCA, Trey Darley <trey@soltra.com>, Terry MacDonald <terry@soltra.com>, "Barnum, Sean D." <sbarnum@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 11/10/2015 02:07 PM
Subject: Re: [cti-stix] [+1]'s

---

That's a potential approach for Incident.
Otherwise, what about "Under investigation" (for Opened) and potentially "False positive" as potential IncidentStatus enumeration items?

On Tuesday, 10 November 2015, Wunder, John A. <jwunder@mitre.org> wrote:

I like “sighting” and “confirmation”.

While we’re naming things, I’ll also suggest renaming “Incident” to “Investigation” and having some sort of field (status?) to denote whether it’s a true “incident” (per the definition of whoever is creating the construct, I guess)

On Nov 10, 2015, at 6:32 AM, Jason Keirstead <Jason.Keirstead@CA.IBM.COM> wrote:


If we do create two constructs, I would humbly suggest that we try to come up with a more distinct term for this, otherwise discussing "sighting" and "citation" in conversation will result in endless confusion.

Its already had enough for me to communicate the difference between an indicator and an observable to people :)

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif>Trey Darley ---11/10/2015 10:18:30 AM---On 06.11.2015 22:58:44, Terry MacDonald wrote: >

From: Trey Darley <trey@soltra.com>
To: Terry MacDonald <terry@soltra.com>
Cc: Jason Keirstead/CanEast/IBM@IBMCA, "Barnum, Sean D." <sbarnum@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 11/10/2015 10:18 AM
Subject: Re: [cti-stix] [+1]'s
Sent by: <cti-stix@lists.oasis-open.org>

---




On 06.11.2015 22:58:44, Terry MacDonald wrote:
>
> 1. +1 = “I have seen this too” (A sighting)
>

I would call this a *sighting*.

>
> 2. +1 = “I agree with your assertion” (Agreement with an assertion
> made)
>

I would call this a *citing*. (Perhaps "citation" to minimize
ambiguity.)


--
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"In protocol design, perfection has been reached not when there is
nothing left to add, but when there is nothing left to take away."
--RFC 1925
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]