OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Proposal: Addition of defined relationship from COA to Indicator

Jason Keirstead wrote this message on Mon, Jul 16, 2018 at 10:13 -0300:
> Scenario: Lets say you want to have an indicator feed that you want to 
> provide to a DNS server, in order to either deny or sinkhole those IP 
> addresses and/or domains. As such, you want to provide Course of Action 
> that are linked to those indicators, to tell the DNS server what to do.
> Currently, COA only has "mitigates" relationships to Attack Pattern, 
> Malware, Tool, and Vulnerability.
> As such, one is forced to either
> (a) Create "dummy" empty Attack Pattern objects to create this 
> relationship
> (b) Make your own SRO for "mitigates" directly from COA to Indicator

I support b...  I tried to get this in a while back, but people didn't
seem to want it at the time...
> In this use case, there is no attack pattern, or any of these objects. You 
> simply want to be able to say "If you see X, do Y".
> I would like to request / suggest that we add a defined relationship from 
> COA to Indicator called "blocks", or "denies", "mitigates", or something 
> to that effect so that this use case can be standardized, as it is 
> extremely common.

I'm fine w/ mitigates...  I'd prefer not to use blocks or denies, as that
implies a certain action, that may not be what the COA does..


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]