[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] [+1]'s
I agree with Jerome On 11/10/15, 10:02 AM, "cti-stix@lists.oasis-open.org on behalf of Jerome Athias" <cti-stix@lists.oasis-open.org on behalf of athiasjerome@gmail.com> wrote: >I would like, if possible, to avoid renaming Incident to >Investigation, or creating a new construct for Investigation, >especially if a simple IncidentStatus enumeration update can do the >trick. >Many reasons for that, from "it is about Incident Management", through >compatibility (e.g. IODEF), to others... > >2015-11-10 17:50 GMT+03:00 Jordan, Bret <bret.jordan@bluecoat.com>: >> >> For the +1, I believe it is a "Sighting". For the other, I am not sure what >> it is. You are making an Assertion about someone else's Assertion. >> >> Yes, lets rename "incident" to "investigation" and have some sort of current >> status field. >> >> Thanks, >> >> Bret >> >> >> >> Bret Jordan CISSP >> Director of Security Architecture and Standards | Office of the CTO >> Blue Coat Systems >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can >> not be unscrambled is an egg." >> >> On Nov 10, 2015, at 06:24, Wunder, John A. <jwunder@mitre.org> wrote: >> >> I like “sighting” and “confirmation”. >> >> While we’re naming things, I’ll also suggest renaming “Incident” to >> “Investigation” and having some sort of field (status?) to denote whether >> it’s a true “incident” (per the definition of whoever is creating the >> construct, I guess) >> >> On Nov 10, 2015, at 6:32 AM, Jason Keirstead <Jason.Keirstead@CA.IBM.COM> >> wrote: >> >> If we do create two constructs, I would humbly suggest that we try to come >> up with a more distinct term for this, otherwise discussing "sighting" and >> "citation" in conversation will result in endless confusion. >> >> Its already had enough for me to communicate the difference between an >> indicator and an observable to people :) >> >> - >> Jason Keirstead >> Product Architect, Security Intelligence, IBM Security Systems >> www.ibm.com/security | www.securityintelligence.com >> >> Without data, all you are is just another person with an opinion - Unknown >> >> >> <graycol.gif>Trey Darley ---11/10/2015 10:18:30 AM---On 06.11.2015 22:58:44, >> Terry MacDonald wrote: > >> >> From: Trey Darley <trey@soltra.com> >> To: Terry MacDonald <terry@soltra.com> >> Cc: Jason Keirstead/CanEast/IBM@IBMCA, "Barnum, Sean D." >> <sbarnum@mitre.org>, "cti-stix@lists.oasis-open.org" >> <cti-stix@lists.oasis-open.org> >> Date: 11/10/2015 10:18 AM >> Subject: Re: [cti-stix] [+1]'s >> Sent by: <cti-stix@lists.oasis-open.org> >> >> ________________________________ >> >> >> >> On 06.11.2015 22:58:44, Terry MacDonald wrote: >>> >>> 1. +1 = “I have seen this too” (A sighting) >>> >> >> I would call this a *sighting*. >> >>> >>> 2. +1 = “I agree with your assertion” (Agreement with an assertion >>> made) >>> >> >> I would call this a *citing*. (Perhaps "citation" to minimize >> ambiguity.) >> >> >> -- >> Cheers, >> Trey >> -- >> Trey Darley >> Senior Security Engineer >> 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 >> Soltra | An FS-ISAC & DTCC Company >> www.soltra.com >> -- >> "In protocol design, perfection has been reached not when there is >> nothing left to add, but when there is nothing left to take away." >> --RFC 1925 >> [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM] >> >> >> > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail. Follow this link to all your TCs in OASIS at: >https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]