[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CTI-1) Incident/Event
[ https://issues.oasis-open.org/browse/CTI-1?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mark Davidson updated CTI-1: ---------------------------- Component/s: STIX > Incident/Event > -------------- > > Key: CTI-1 > URL: https://issues.oasis-open.org/browse/CTI-1 > Project: OASIS Cyber Threat Intelligence (CTI) TC > Issue Type: New Feature > Components: STIX > Reporter: Mark Davidson > Fix For: STIX 2.1 > > > The development of one or more SDOs to capture incident and event information. > Work area: Working Concepts (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q) > Scope > The capture of information related to internal security events, internal security incidents, and external security-relevant events. > Examples > A malware infection on an internal laptop > Tracking an incident response to an APT intrusion > A threat actor changes a C2 domain > Reporting an incident to a third-party, such as US-CERT or DC3 > Public incident repositories, such as VERIS > Open Questions > Is there a single SDO to capture both incident and event information? > If so, how is the status "incident" captured? > Do you need to distinguish between internal, security-relevant events and external information? > How do you track workflow/timestamps? > How do you track POCs? > How is it related to observed data? -- This message was sent by Atlassian JIRA (v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]