OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] (CTI-1) Incident/Event


Mark Davidson created CTI-1:
-------------------------------

             Summary: Incident/Event
                 Key: CTI-1
                 URL: https://issues.oasis-open.org/browse/CTI-1
             Project: OASIS Cyber Threat Intelligence (CTI) TC
          Issue Type: New Feature
            Reporter: Mark Davidson


The development of one or more SDOs to capture incident and event information.

Work area: Working Concepts (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q)

Scope

The capture of information related to internal security events, internal security incidents, and external security-relevant events.

Examples

A malware infection on an internal laptop
Tracking an incident response to an APT intrusion
A threat actor changes a C2 domain
Reporting an incident to a third-party, such as US-CERT or DC3
Public incident repositories, such as VERIS
Open Questions

 Is there a single SDO to capture both incident and event information?
 If so, how is the status "incident" captured?
 Do you need to distinguish between internal, security-relevant events and external information?
 How do you track workflow/timestamps?
 How do you track POCs?
 How is it related to observed data?



--
This message was sent by Atlassian JIRA
(v6.2.2#6258)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]