Re: [cti-stix] Patterning for Course of Actions

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I think that the need for "sequences" or "flows" of actions to be defined is very clear ( A then B or C, then D only if B, etc )

It is less clear to me if the observable patterning language is the best means to do that. There is a lot of "weight" in observable patterns that doesn't really apply to action sequences ( you are really only interested in a tiny subset ). And yet even so, there are other things you need that are actually missing from the pattern grammar (such as "in parallel with"). You can't define end-to-end workflows using our grammar, that's not really what it was designed for.

IMO the actual thing being sought here is an intermediary "playbook" object in between the Incident object and the individual CoA responses. The playbook defines the workflow of CoA and how they tie together.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Trey Darley ---10/19/2016 07:17:49 AM---On 14.10.2016 18:48:06, Jyoti Verma (jyoverma) wrote: > I went through the latest Cybox patterning d

From: Trey Darley <trey@kingfisherops.com>
To: "Jyoti Verma (jyoverma)" <jyoverma@cisco.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 10/19/2016 07:17 AM
Subject: Re: [cti-stix] Patterning for Course of Actions
Sent by: <cti-stix@lists.oasis-open.org>

---

On 14.10.2016 18:48:06, Jyoti Verma (jyoverma) wrote:
> I went through the latest Cybox patterning documentation and really
> like how its come together. The concept of patterning can apply to
> other objects as well and I'd like to bring up this topic for
> discussion here.
> 

Hey, Jyoti -

Observable Patterning is pretty key to tying everything together in
STIX 2.0. A _ton_ of work has gone into that document but so far it
seems like most of the TC has yet to review it. Knowing that you've
had eyes on it is motivating as we stretch towards the finish line.
Thanks for the positive feedback, Jyoti!

> 
> I see a specific need for this in the case of Courses of actions
> where you might want to apply certain conditional logic on the
> execution of actions. This is best illustrated with the following
> examples:
> 
>   1.  Action B should be executed after action A completes successfully
>   2.  Action A should be executed in parallel with action B
>   3.  Action C should be executed after a certain duration of A and B completing
> 

Makes sense to me.

> 
> Is the patterning model extensible to realize these conditions?
> 

Actions (similar to the use cases as you enumerated above) were a
major component of CybOX 2.1. As a SC we deliberately scoped that out
for CybOX 3.0^W^WObservable Patterning but it's at the top of our
hitlist for the next release. As we iterate on COAs in STIX 2.x it's
only logical that we align the Observable Patterning language to
support that. Thanks for highlighting this need!

-- 
Cheers,
Trey
++--------------------------------------------------------------------------++
Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4  5B9B B30D DD6E 62C8 6C1D
++--------------------------------------------------------------------------++
--
"For all resources, whatever it is, you need more." --RFC 1925
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]