[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CTI-1) Incident/Event
[ https://issues.oasis-open.org/browse/CTI-1?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mark Davidson updated CTI-1:
----------------------------
Component/s: STIX
> Incident/Event
> --------------
>
> Key: CTI-1
> URL: https://issues.oasis-open.org/browse/CTI-1
> Project: OASIS Cyber Threat Intelligence (CTI) TC
> Issue Type: New Feature
> Components: STIX
> Reporter: Mark Davidson
> Fix For: STIX 2.1
>
>
> The development of one or more SDOs to capture incident and event information.
> Work area: Working Concepts (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q)
> Scope
> The capture of information related to internal security events, internal security incidents, and external security-relevant events.
> Examples
> A malware infection on an internal laptop
> Tracking an incident response to an APT intrusion
> A threat actor changes a C2 domain
> Reporting an incident to a third-party, such as US-CERT or DC3
> Public incident repositories, such as VERIS
> Open Questions
> Is there a single SDO to capture both incident and event information?
> If so, how is the status "incident" captured?
> Do you need to distinguish between internal, security-relevant events and external information?
> How do you track workflow/timestamps?
> How do you track POCs?
> How is it related to observed data?
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]