[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Event SDO comments
Thanks Jyoti, this is helpful. I wonder if we can address some of these already: 2. Event sources...I believe we have a decent ability to capture this now: - You can use a relationship to show that an indicator/etc triggered an event - You can use the detection_mechanism field to indicate that it was reported - You can include raw observed_data - You can include related events - Given our scoping out of the SIEM alert use case for 2.1, I think some of this might also be external data. In that case, you could use external references. 3. You can capture the artifact list in the related observed_data (relationship name is currently “reported-on”, though that could change) 4. Assignee can be captured in the “contacts” property. We can’t capture priority, though there are so many different vocabs/mechanisms for that that I’m not sure we ever could in a standard way. 5. You can add a related COA that mitigated or could mitigate the event (two separate relationships), but not much else. This is a weakness, as Bret has pointed out, but we also don’t want to write ourselves
into a corner given that COA stuff is still evolving so much. IMO it would be smart to scope that more advanced stuff out for now so we don’t break things for future releases, as we figure out what COA/Playbook/Action might look like. I think the broader question we have to answer is whether we want to address all of these needs in our 2.1 event proposal, or if (as Sean has suggested, and I agree with) we focus on the threat intel use case
for events and acknowledge that people do a lot of IR stuff internal to their SOC that we can’t represent. John From: <cti-stix@lists.oasis-open.org> on behalf of "Jyoti Verma (jyoverma)" <jyoverma@cisco.com> I went through the evolving Event SDO
here and I have a few comments that I thought I should summarize.
I believe that an event is very closely tied to a playbook/COAs and there should be a placeholder to capture the COAs performed in the context of an event. This could either be captured as relationships or
activities or both. My 2 cents, Jyoti |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]