On today’s working call, we discussed the event object. We didn’t have someone taking full notes, but I’ll try to summarize what was discussed below.
- The event object should be scoped down to just an IR type of event/incident. This would need to be clarified in the text, but that would then scope out
some of our other use cases such as:
- An ‘alert’ coming into your system
- An ‘event’ such as a threat actor registering a domain
- The MISP version of ‘event’
- An ‘alert’ coming into your system
- We removed the event_type property, and moved the words “event” and “incident” that were in the event-type-ov vocab to be in the labels field. (basically,
we just merged event_type with labels)
- We created a relationship from an event to another event, indicating that one event can be part of another event. This should take care of the use case
where you have five ‘events’ that then all become part of one ‘incident’. You would have 5 event objects, then create a 6th event object, add the incident label, and link the first 5 events to the 6th.
- We agreed we need to revist the property name for “impact_scope” and come up with something better. Also the purpose of this property needs to be clarified/wordsmithed.
- Two vocabularies need more work than the others, intended-effect-ov and detection-mechanism-ov. There are three possible ways to proceed:
- Remove these two properties and their vocabs
- Keep the properties but massively scale back the vocabs to just a few, well-agreed up on terms
- Keep the properties and spend the time and effort needed to fix these vocabularies
- Remove these two properties and their vocabs
We’re hoping to clean up the proposal soon and maybe spend the next week discussing the “intended-effect-ov” and “detection-mechanism-ov” vocabularies.
Thanks,
Sarah Kelley
Senior Cyber Threat Analyst
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
518-266-3493
24x7 Security Operations Center
SOC@cisecurity.org - 1-866-787-4722
. . . . .