OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: STIX Suspicious Activity Grouping Object


I’m looking at modeling suspicious activity (an incident/event), which we had talked about putting into the Grouping object and I’m running into some issues.  While most information related to suspicious activity would be held through relationships, timestamps are important and would instead be held in the object itself. 

 

Specifically, the following timestamps should be on each object:

Date suspicious activity was discovered

Date suspicious activity occurred

Date suspicious activity was mitigated

 

In addition other artifacts are useful, such as:

Detection Method

Type of Compromise

Incident Outcome (i.e. successful compromise, blocked, etc.)

 

I believe most of the rest of the data could be modeled through relationships or is specific to my organization.

 

Interested in thoughts on whether people agree that this information would be useful to capture and suggestions on how to capture the data.

 

Thanks,

    -Gary

Attachment: smime.p7s
Description: S/MIME cryptographic signature



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]