cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Proposal: Addition of defined relationship from COA to Indicator
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: cti-stix@lists.oasis-open.org
- Date: Mon, 16 Jul 2018 10:13:20 -0300
Scenario: Lets say you want to have an
indicator feed that you want to provide to a DNS server, in order to either
deny or sinkhole those IP addresses and/or domains. As such, you want to
provide Course of Action that are linked to those indicators, to tell the
DNS server what to do.
Currently, COA only has "mitigates"
relationships to Attack Pattern, Malware, Tool, and Vulnerability.
As such, one is forced to either
(a) Create "dummy" empty Attack
Pattern objects to create this relationship
(b) Make your own SRO for "mitigates"
directly from COA to Indicator
In this use case, there is no attack
pattern, or any of these objects. You simply want to be able to say "If
you see X, do Y".
I would like to request / suggest that
we add a defined relationship from COA to Indicator called "blocks",
or "denies", "mitigates", or something to that effect
so that this use case can be standardized, as it is extremely common.
-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security
"Things may come to those who wait, but only the things left by those
who hustle." - Unknown
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]