OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] RE: Possible items for STIX 2.1


(1)   [+1] on an Event construct.

(2)   [+1] on an Incident Construct that can support a linked set [List] of Relationships to Event Objects (in the STIX Document or Externally Referenced by Event ID).

 

 

From: <cti-stix@lists.oasis-open.org> on behalf of Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
Organization: CIRCL - Computer Incident Response Center Luxembourg
Date: Wednesday, November 9, 2016 at 11:42 AM
To: <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] RE: Possible items for STIX 2.1

 

On 08/11/16 18:01, Katz, Gary CTR DC3\DCCI wrote:

Bret,

    Sorry for not making the call today.  I would like to propose replacing Incident with Event.  Events allow us to capture non-incident information that is still valuable.  For example, a threat actor standing up or breaking down infrastructure.  It also doesn't have the same connotations as Incidents.  Some CISOs may take issues to saying there was an Incident on their network, but an Event may be more palatable and make it easier for organizations to share.  Organizations may also categorize an Incident differently.  Some may count Reconnaissance activity as an Incident while others only call something an Incident when there was loss of control.  Events though are more general and therefore easier to capture activity.

 

Indeed.

 

Just an idea. Why not simplifying the format around Event? To have a core format with the minimal STIX objects specified.

 

FYI, we recently made two I-Ds for documenting the format used in MISP:

 

 

We tried to keep the format as simple as possible and extension will be documented later.

 

Just some thoughts.

 

Cheers.

 

--

Alexandre Dulaunoy

CIRCL - Computer Incident Response Center Luxembourg

41, avenue de la gare L-1611 Luxembourg

info@circl.lu - www.circl.lu

 

---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]