[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Event SDO comments
Thanks for the comments Terry. Please find my comments inline… From:
Terry MacDonald <terry.macdonald@cosive.com> Hi Jyoti, I think we need to delineate very strongly between actions we've performed (historical) and actions we could perform in the future (playbooks/COA).
[JV]: By historical do you mean actions that led to the detection of the event? If yes, then I agree those are different from playbook/COA that will be executed in the future My reading of your comments is that the Event SDO will potentially conflate those two concepts. [JV]: I am not advocating combining the concepts rather linking them in some form. An Event as a concept should simply describe something that has happened that we need to investigate further. If we need to describe ObservedData related to that event, then we should use an external relationship to that ObservedData to
allow third parties to also suggest ObservedData that may be the same event. [JV]: Agreed If we need to actually record what we did, then we perhaps need an Action SDO that describes something we've done, and use external relationships to link those together (to allow multiple groups to also show what they did in response to
that same event). [JV]: We could use external relationships to link out to COAs but we might need to capture the results of the COA in the event in order to update the state of the event. Example, a mitigate-block COA could be
triggered during the life cycle of an event that applies to multiple IPs but the “mitigated” event status would apply only when all IPs were successfully blocked. Otherwise, the event would stay “open” and contain a log of the activities performed. We could simply have a 'followed_by' relationship between those Action SDOs that would show the sequence in which those Actions were performed. Consumers can then walk the graph to figure out what the sequence of steps each org performed
in response to that. [JV]: That’s a good call out for capturing sequencing of actions. There are some other proposals we’ve been looking at in the COA mini group. If there is a possible Playbook/COA object that highlights a sequence of steps that affected organisations can perform to remedy the situation, then those should be related via an SRO with a relationship like mitigates, or mitigated-by.
The COA too could use a set of related Action SDOs to show a sequence of actions (but that of course depends on what OpenC2 is doing. [JV]: Agreed with a nuance. The COA could be independent of OpenC2. Thanks, Jyoti
Cheers Terry MacDonald | Chief Product Officer On Thu, Aug 31, 2017 at 11:47 AM, Jyoti Verma (jyoverma) <jyoverma@cisco.com> wrote:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]