RE: [cti-stix] Re: [EXT] [cti-stix] updated COA proposal && additional topic for working call tomorrow

["Wunder, John A." <jwunder@mitre.org>]

This looks awesome, I just reviewed it and had maybe 1-2 minor things (in comments in the doc). I support including this in the next CSD.

 

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> On Behalf Of Allan Thomson
Sent: Wednesday, October 31, 2018 12:11 PM
To: Jyoti Verma (jyoverma) <jyoverma@cisco.com>; Bret Jordan <Bret_Jordan@symantec.com>; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Re: [EXT] [cti-stix] updated COA proposal && additional topic for working call tomorrow

 

All â Some comments have been received and mostly addressed in the google document.

 

If you have an interest in COA please comment in the document.

 

Our hope is to discuss and close any outstanding comments in next weekâs Tuesday working call so that we can put forward a proposal to the entire TC to include this work in the next CSD.

 

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

 

From: "Jyoti Verma (jyoverma)" <jyoverma@cisco.com>
Date: Wednesday, October 31, 2018 at 6:19 AM
To: Bret Jordan <Bret_Jordan@symantec.com>, Allan Thomson <athomson@lookingglasscyber.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Re: [EXT] [cti-stix] updated COA proposal && additional topic for working call tomorrow

 

Thanks Allan. I support this as well.

 

-Jyoti

 

From: <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Monday, October 29, 2018 at 3:55 PM
To: Allan Thomson <athomson@lookingglasscyber.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Re: [EXT] [cti-stix] updated COA proposal && additional topic for working call tomorrow

 

Thank Allan.  I fully support this new more simplified version of COA for STIX 2.1.

 

 

Thanks

Bret

 

---

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Sent: Monday, October 29, 2018 3:28:30 PM
To: cti-stix@lists.oasis-open.org
Subject: [EXT] [cti-stix] updated COA proposal && additional topic for working call tomorrow

 

All â

 

Please find a link to a Course of Action simplified proposal that builds upon the 2.0 specification of COA.

 

https://docs.google.com/document/d/1jAZiyo0M5TpKLPQRFR9O7Ct67v_AxudTbL2rQf5dCic/edit?usp=sharing

 

Summary of Proposal

 

1. Added action_type

1. Why: To allow the producer to define whether the COA has embedded content or referenced content (similar to Artifact object)

2. Added property action_ref

1. Why: To allow referencing external coa content to the STIX COA object instead of having to embedded all COA definitions/actions

3. Changed action reserved property to well-defined meaning/definition that allows numerous content types based on action_type to be embedded on COA
4. Added 2 new named relationships for investigates & remediates

1. Why: Support additional uses of a COA that are commonly used in the industry

 

The changes proposed in this document would replace the existing proposal for STIX2.1 COA work as several of the authors of that proposal have decided to submit this new simpler proposal for easy adoption.

 

The link allows comments in the document but if you have questions and are able to join the working call tomorrow please do.

 

This is a very much simplified proposal for COA to make it more useful/usable in STIX2.1 and therefore would propose we adopt this work quickly for inclusion the next STIX2.1 CSD.

 

Regards

 

Allan