Re: [cti-stix] [+1]'s

[Paul Patrick <ppatrick@isightpartners.com>]

I agree with Jerome



On 11/10/15, 10:02 AM, "cti-stix@lists.oasis-open.org on behalf of Jerome Athias" <cti-stix@lists.oasis-open.org on behalf of athiasjerome@gmail.com> wrote:

>I would like, if possible, to avoid renaming Incident to
>Investigation, or creating a new construct for Investigation,
>especially if a simple IncidentStatus enumeration update can do the
>trick.
>Many reasons for that, from "it is about Incident Management", through
>compatibility (e.g. IODEF), to others...
>
>2015-11-10 17:50 GMT+03:00 Jordan, Bret <bret.jordan@bluecoat.com>:
>>
>> For the +1, I believe it is a "Sighting".  For the other, I am not sure what
>> it is.  You are making an Assertion about someone else's Assertion.
>>
>> Yes, lets rename "incident" to "investigation" and have some sort of current
>> status field.
>>
>> Thanks,
>>
>> Bret
>>
>>
>>
>> Bret Jordan CISSP
>> Director of Security Architecture and Standards | Office of the CTO
>> Blue Coat Systems
>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
>> not be unscrambled is an egg."
>>
>> On Nov 10, 2015, at 06:24, Wunder, John A. <jwunder@mitre.org> wrote:
>>
>> I like “sighting” and “confirmation”.
>>
>> While we’re naming things, I’ll also suggest renaming “Incident” to
>> “Investigation” and having some sort of field (status?) to denote whether
>> it’s a true “incident” (per the definition of whoever is creating the
>> construct, I guess)
>>
>> On Nov 10, 2015, at 6:32 AM, Jason Keirstead <Jason.Keirstead@CA.IBM.COM>
>> wrote:
>>
>> If we do create two constructs, I would humbly suggest that we try to come
>> up with a more distinct term for this, otherwise discussing "sighting" and
>> "citation" in conversation will result in endless confusion.
>>
>> Its already had enough for me to communicate the difference between an
>> indicator and an observable to people :)
>>
>> -
>> Jason Keirstead
>> Product Architect, Security Intelligence, IBM Security Systems
>> www.ibm.com/security | www.securityintelligence.com
>>
>> Without data, all you are is just another person with an opinion - Unknown
>>
>>
>> <graycol.gif>Trey Darley ---11/10/2015 10:18:30 AM---On 06.11.2015 22:58:44,
>> Terry MacDonald wrote: >
>>
>> From: Trey Darley <trey@soltra.com>
>> To: Terry MacDonald <terry@soltra.com>
>> Cc: Jason Keirstead/CanEast/IBM@IBMCA, "Barnum, Sean D."
>> <sbarnum@mitre.org>, "cti-stix@lists.oasis-open.org"
>> <cti-stix@lists.oasis-open.org>
>> Date: 11/10/2015 10:18 AM
>> Subject: Re: [cti-stix] [+1]'s
>> Sent by: <cti-stix@lists.oasis-open.org>
>>
>> ________________________________
>>
>>
>>
>> On 06.11.2015 22:58:44, Terry MacDonald wrote:
>>>
>>> 1. +1 = “I have seen this too” (A sighting)
>>>
>>
>> I would call this a *sighting*.
>>
>>>
>>> 2. +1 = “I agree with your assertion” (Agreement with an assertion
>>> made)
>>>
>>
>> I would call this a *citing*. (Perhaps "citation" to minimize
>> ambiguity.)
>>
>>
>> --
>> Cheers,
>> Trey
>> --
>> Trey Darley
>> Senior Security Engineer
>> 4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
>> Soltra | An FS-ISAC & DTCC Company
>> www.soltra.com
>> --
>> "In protocol design, perfection has been reached not when there is
>> nothing left to add, but when there is nothing left to take away."
>> --RFC 1925
>> [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]
>>
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that 
>generates this mail.  Follow this link to all your TCs in OASIS at:
>https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>