[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: STIX Suspicious Activity Grouping Object
I’m looking at modeling suspicious activity (an incident/event), which we had talked about putting into the Grouping object and I’m running into some issues. While most information related to suspicious activity would be held through relationships, timestamps are important and would instead be held in the object itself. Specifically, the following timestamps should be on each object: Date suspicious activity was discovered Date suspicious activity occurred Date suspicious activity was mitigated In addition other artifacts are useful, such as: Detection Method Type of Compromise Incident Outcome (i.e. successful compromise, blocked, etc.) I believe most of the rest of the data could be modeled through relationships or is specific to my organization. Interested in thoughts on whether people agree that this information would be useful to capture and suggestions on how to capture the data. Thanks, -Gary |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]