[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Proposal: Addition of defined relationship from COA to Indicator
Jason Keirstead wrote this message on Mon, Jul 16, 2018 at 10:13 -0300: > Scenario: Lets say you want to have an indicator feed that you want to > provide to a DNS server, in order to either deny or sinkhole those IP > addresses and/or domains. As such, you want to provide Course of Action > that are linked to those indicators, to tell the DNS server what to do. > > Currently, COA only has "mitigates" relationships to Attack Pattern, > Malware, Tool, and Vulnerability. > > As such, one is forced to either > > (a) Create "dummy" empty Attack Pattern objects to create this > relationship > (b) Make your own SRO for "mitigates" directly from COA to Indicator I support b... I tried to get this in a while back, but people didn't seem to want it at the time... > > In this use case, there is no attack pattern, or any of these objects. You > simply want to be able to say "If you see X, do Y". > > I would like to request / suggest that we add a defined relationship from > COA to Indicator called "blocks", or "denies", "mitigates", or something > to that effect so that this use case can be standardized, as it is > extremely common. I'm fine w/ mitigates... I'd prefer not to use blocks or denies, as that implies a certain action, that may not be what the COA does.. -- John-Mark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]