[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] [+1]'s
I would like, if possible, to avoid renaming Incident to Investigation, or creating a new construct for Investigation, especially if a simple IncidentStatus enumeration update can do the trick. Many reasons for that, from "it is about Incident Management", through compatibility (e.g. IODEF), to others... 2015-11-10 17:50 GMT+03:00 Jordan, Bret <bret.jordan@bluecoat.com>: > > For the +1, I believe it is a "Sighting". For the other, I am not sure what > it is. You are making an Assertion about someone else's Assertion. > > Yes, lets rename "incident" to "investigation" and have some sort of current > status field. > > Thanks, > > Bret > > > > Bret Jordan CISSP > Director of Security Architecture and Standards | Office of the CTO > Blue Coat Systems > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can > not be unscrambled is an egg." > > On Nov 10, 2015, at 06:24, Wunder, John A. <jwunder@mitre.org> wrote: > > I like “sighting” and “confirmation”. > > While we’re naming things, I’ll also suggest renaming “Incident” to > “Investigation” and having some sort of field (status?) to denote whether > it’s a true “incident” (per the definition of whoever is creating the > construct, I guess) > > On Nov 10, 2015, at 6:32 AM, Jason Keirstead <Jason.Keirstead@CA.IBM.COM> > wrote: > > If we do create two constructs, I would humbly suggest that we try to come > up with a more distinct term for this, otherwise discussing "sighting" and > "citation" in conversation will result in endless confusion. > > Its already had enough for me to communicate the difference between an > indicator and an observable to people :) > > - > Jason Keirstead > Product Architect, Security Intelligence, IBM Security Systems > www.ibm.com/security | www.securityintelligence.com > > Without data, all you are is just another person with an opinion - Unknown > > > <graycol.gif>Trey Darley ---11/10/2015 10:18:30 AM---On 06.11.2015 22:58:44, > Terry MacDonald wrote: > > > From: Trey Darley <trey@soltra.com> > To: Terry MacDonald <terry@soltra.com> > Cc: Jason Keirstead/CanEast/IBM@IBMCA, "Barnum, Sean D." > <sbarnum@mitre.org>, "cti-stix@lists.oasis-open.org" > <cti-stix@lists.oasis-open.org> > Date: 11/10/2015 10:18 AM > Subject: Re: [cti-stix] [+1]'s > Sent by: <cti-stix@lists.oasis-open.org> > > ________________________________ > > > > On 06.11.2015 22:58:44, Terry MacDonald wrote: >> >> 1. +1 = “I have seen this too” (A sighting) >> > > I would call this a *sighting*. > >> >> 2. +1 = “I agree with your assertion” (Agreement with an assertion >> made) >> > > I would call this a *citing*. (Perhaps "citation" to minimize > ambiguity.) > > > -- > Cheers, > Trey > -- > Trey Darley > Senior Security Engineer > 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 > Soltra | An FS-ISAC & DTCC Company > www.soltra.com > -- > "In protocol design, perfection has been reached not when there is > nothing left to add, but when there is nothing left to take away." > --RFC 1925 > [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM] > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]