[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Re: Possible items for STIX 2.1
I’d really like to see the OpenC2 work in STIX 2.1 along with the incident.
Thanks,
Jyoti
From: <cti-stix@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Tuesday, November 8, 2016 at 12:31 PM To: "Coderre, Robert" <rcoderre@verisign.com>, "Katz, Gary CTR DC3\\DCCI" <Gary.Katz.ctr@dc3.mil>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: [cti-stix] Re: Possible items for STIX 2.1 Well like Campaign, Threat Actor, and Intrusion Set, there probably will not be a lot. I could see Event having less fields than an Incident. Maybe Event is a sub-set of Incident. We would really need to see Gary's example first.
Bret From: Coderre, Robert <rcoderre@verisign.com>
Sent: Tuesday, November 8, 2016 12:06:47 PM To: Katz, Gary CTR DC3\DCCI; Bret Jordan (CS); cti-stix@lists.oasis-open.org Subject: RE: Possible items for STIX 2.1 FWIW, I like the concept of Event. Makes much more sense from an external perspective. I'm curious though, from an object properties standpoint, what's the delta between the 2?
Rob -----Original Message----- From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Katz, Gary CTR DC3\DCCI Sent: Tuesday, November 08, 2016 12:01 PM To: 'Bret Jordan (CS)'; cti-stix@lists.oasis-open.org Subject: [cti-stix] RE: Possible items for STIX 2.1 Bret, Sorry for not making the call today. I would like to propose replacing Incident with Event. Events allow us to capture non-incident information that is still valuable. For example, a threat actor standing up or breaking down infrastructure. It also doesn't have the same connotations as Incidents. Some CISOs may take issues to saying there was an Incident on their network, but an Event may be more palatable and make it easier for organizations to share. Organizations may also categorize an Incident differently. Some may count Reconnaissance activity as an Incident while others only call something an Incident when there was loss of control. Events though are more general and therefore easier to capture activity. We put together a version of the Event object based upon our own analysts' inputs. If it's an object that the CTI community wants to move forward on, let me know and I can share it out. Thoughts? -Gary -----Original Message----- From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Bret Jordan (CS) Sent: Tuesday, November 08, 2016 11:36 AM To: cti-stix@lists.oasis-open.org Subject: [Non-DoD Source] [cti-stix] Possible items for STIX 2.1 Infrastructure Malware Incident Course of Action - OpenC2 Internationalization Confidence (source confidence) Comments Location When the location information was looked up / assigned. Service used to look up the location Accuracy of the service or methodology Self Reported Add organizational relationships Employees Threat Actor -> Threat Actor relationship Intel Notes Bret --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]