Re: [cti-stix] Proposal: Addition of defined relationship from COA to Indicator

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I have had 3 agree - anyone against this
idea?

If not I will submit a change proposal
for this in CSD 02.

-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security

"Things may come to those who wait, but only the things left by those
who hustle." - Unknown 




From:      
 John-Mark Gurney <jmg@newcontext.com>
To:      
 Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc:      
 cti-stix@lists.oasis-open.org
Date:      
 07/17/2018 08:29 PM
Subject:    
   Re: [cti-stix]
Proposal: Addition of defined relationship from COA to Indicator

---

Jason Keirstead wrote this message on Mon, Jul 16,
2018 at 10:13 -0300:
> Scenario: Lets say you want to have an indicator feed that you want
to 
> provide to a DNS server, in order to either deny or sinkhole those
IP 
> addresses and/or domains. As such, you want to provide Course of Action
> that are linked to those indicators, to tell the DNS server what to
do.
> 
> Currently, COA only has "mitigates" relationships to Attack
Pattern, 
> Malware, Tool, and Vulnerability.
> 
> As such, one is forced to either
> 
> (a) Create "dummy" empty Attack Pattern objects to create
this 
> relationship
> (b) Make your own SRO for "mitigates" directly from COA
to Indicator

I support b...  I tried to get this in a while back, but people didn't
seem to want it at the time...
> 
> In this use case, there is no attack pattern, or any of these objects.
You 
> simply want to be able to say "If you see X, do Y".
> 
> I would like to request / suggest that we add a defined relationship
from 
> COA to Indicator called "blocks", or "denies",
"mitigates", or something 
> to that effect so that this use case can be standardized, as it is
> extremely common.

I'm fine w/ mitigates...  I'd prefer not to use blocks or denies,
as that
implies a certain action, that may not be what the COA does..

-- 
John-Mark