[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [EXT] Re: [cti-stix] Event proposal updated
I think there is a very distinct difference, semantically, between recording a COA that was taken and its outcome, and a suggestion for taking a COA to resolve an incident.
I think we need to be super careful about just assuming that STIX is and will only be an exchange format. There will probably be a lot of small start-ups that will use the STIX data model as their data model.
With this said, than if you believe that the STIX Event is for transport and exchange of information, then it will by populated post event. Which means, even if other groups in the organization did stuff, all of that information could be recorded by a single entity.
Observed Data is another sticky point. Do you really want some third party adding observed data blobs to your incident ? Do you really want confidence scores on it?
Bret
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]