[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Re: [EXT] Re: [cti] Summary of the working call
Hello Bret, We've just had a look at the event object (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit# - section 2.6 / 2.1.x???) and it is pretty far from our idea of a generic event, as it basically describes an incident/investigation/case instead of a generic event (which could be a collection of OSINT data even, CERT notifications, or even a shared black list). Most of its attributes don't align with what we're after (so basically we'd have to leave them unset) and it lacks some attributes that are blockers for us. Our main goal with threat intel sharing is to give analysts a tool that allows them to exchange information that they find could be useful for their partners, based on a variety of sources (an actual incident, a collection of OSINT data, financial fraud details, the results of the analysis of a reverse engineer, notifications shared by law enforcement etc). The event proposal that you suggested deals more with a collection of facts after an incident/investigation/case, which has different objectives and assumptions. It is great for a ticketing system used internally for example, but less so for threat intel sharing. I personally don't see how this is more relevant than what we're after when we consider that STIX is a standard built to exchange threat information, but we can't all have our ponies, I realise that. However, this makes the proposed construct unusable for our use-case. I hope this has managed to clear up some of the confusion and we can come to an agreement on how to proceed (hopefully using the proposed generic-event structure). Best regards, Andras On 23. aug. 2017 18:39, Bret Jordan wrote: > Alexandre, > > > If we added a "supporting_data" property to Event that contained a list > of IDs to other STIX objects, would that enable your use-case? > > > Bret > > ------------------------------------------------------------------------ > *From:* cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of > Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu> > *Sent:* Wednesday, August 23, 2017 2:42:46 AM > *To:* cti@lists.oasis-open.org > *Subject:* [EXT] Re: [cti] Summary of the working call > > On 22/08/17 22:12, Sarah Kelley wrote: >> On today’s working call, we discussed the event object. We didn’t have someone taking full notes, but I’ll try to summarize what was discussed below. >> >> >> 1. The event object should be scoped down to just an IR type of event/incident. This would need to be clarified in the text, but that would then scope out some of our other use cases such as: >> * An ‘alert’ coming into your system >> * An ‘event’ such as a threat actor registering a domain >> * The MISP version of ‘event’ > > As our past proposals (event and updated report) were rejected and > seeing how despite expectations the new event SDO won't accommodate the > requirements of many CERTs and considering that we need to > move on regarding this, we propose a new SDO called generic event to be > able to map MISP events to STIX. > > https://clicktime.symantec.com/a/1/KXXOt30L0Phy4XSBJfMef58Wt7mbKP8hq6iPJVbggCA=?d=aZFWp64AB6xw0IMyCZXL0Penlb_6iU6OgveRz1MnP5rZ9wxB3EfnQTTfyleQA_85xnxQ4G0tW-3mzxOSKk1ZRAeSkGz5Uk_0aPQYycvNcyEd8ji_tyMaKiVRV9LZPX9QWMpByAtKN1160Dz8pzikmWvm0SFVLHVA309anASuRu6zZIWfoBIdLmRQw-WVQy010_LhdsXjYEM-UscjJdtGhpFaPSlyn8sajyVZvtRf2DKg9jyYepCu2Rt7DmyHYx5Z5jlm5eo60yXUU7QuYoszYy6gKXOlHo9JUCI9Euvaux0dldytYQNnqpjF1iIAR6BljwZgq0OTmjNjS72rdbMO-Ki2Sdu1EX1s_yvIWbUoNls35fV1yGdy7YLa8z1z7nM_1VZZ8C-43itV5JB6WqnJUQBohXsItCeM8aFDSIxBoJTjjTC8&u=https%3A%2F%2Fwww.misp-project.org%2Fgeneric-event-proposal-STIX-2.1.pdf > > Thank you very much > > -- > Alexandre Dulaunoy > CIRCL - Computer Incident Response Center Luxembourg > 41, avenue de la gare L-1611 Luxembourg > info@circl.lu - www.circl.lu <http://www.circl.lu> - (+352) 247 88444 > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://clicktime.symantec.com/a/1/TPo_dTV-pVxJ8S7TeISQ6XYZjfPzx28einI7H3nz6M0=?d=aZFWp64AB6xw0IMyCZXL0Penlb_6iU6OgveRz1MnP5rZ9wxB3EfnQTTfyleQA_85xnxQ4G0tW-3mzxOSKk1ZRAeSkGz5Uk_0aPQYycvNcyEd8ji_tyMaKiVRV9LZPX9QWMpByAtKN1160Dz8pzikmWvm0SFVLHVA309anASuRu6zZIWfoBIdLmRQw-WVQy010_LhdsXjYEM-UscjJdtGhpFaPSlyn8sajyVZvtRf2DKg9jyYepCu2Rt7DmyHYx5Z5jlm5eo60yXUU7QuYoszYy6gKXOlHo9JUCI9Euvaux0dldytYQNnqpjF1iIAR6BljwZgq0OTmjNjS72rdbMO-Ki2Sdu1EX1s_yvIWbUoNls35fV1yGdy7YLa8z1z7nM_1VZZ8C-43itV5JB6WqnJUQBohXsItCeM8aFDSIxBoJTjjTC8&u=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]