[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CTI-1) Incident/Event
[ https://issues.oasis-open.org/browse/CTI-1?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mark Davidson updated CTI-1: ---------------------------- Description: The development of one or more SDOs to capture incident and event information. Work area: Working Concepts (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q) ## Scope The capture of information related to internal security events, internal security incidents, and external security-relevant events. ## Examples * A malware infection on an internal laptop * Tracking an incident response to an APT intrusion * A threat actor changes a C2 domain * Reporting an incident to a third-party, such as US-CERT or DC3 * Public incident repositories, such as VERIS ## Open Questions 1. Is there a single SDO to capture both incident and event information? 2. If so, how is the status "incident" captured? 3. Do you need to distinguish between internal, security-relevant events and external information? 4. How do you track workflow/timestamps? 5. How do you track POCs? 6. How is it related to observed data? was: The development of one or more SDOs to capture incident and event information. Work area: Working Concepts (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q) ## Scope The capture of information related to internal security events, internal security incidents, and external security-relevant events. Examples A malware infection on an internal laptop Tracking an incident response to an APT intrusion A threat actor changes a C2 domain Reporting an incident to a third-party, such as US-CERT or DC3 Public incident repositories, such as VERIS Open Questions Is there a single SDO to capture both incident and event information? If so, how is the status "incident" captured? Do you need to distinguish between internal, security-relevant events and external information? How do you track workflow/timestamps? How do you track POCs? How is it related to observed data? > Incident/Event > -------------- > > Key: CTI-1 > URL: https://issues.oasis-open.org/browse/CTI-1 > Project: OASIS Cyber Threat Intelligence (CTI) TC > Issue Type: New Feature > Components: STIX > Reporter: Mark Davidson > Fix For: STIX 2.1 > > > The development of one or more SDOs to capture incident and event information. > Work area: Working Concepts (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q) > ## Scope > The capture of information related to internal security events, internal security incidents, and external security-relevant events. > ## Examples > * A malware infection on an internal laptop > * Tracking an incident response to an APT intrusion > * A threat actor changes a C2 domain > * Reporting an incident to a third-party, such as US-CERT or DC3 > * Public incident repositories, such as VERIS > ## Open Questions > 1. Is there a single SDO to capture both incident and event information? > 2. If so, how is the status "incident" captured? > 3. Do you need to distinguish between internal, security-relevant events and external information? > 4. How do you track workflow/timestamps? > 5. How do you track POCs? > 6. How is it related to observed data? -- This message was sent by Atlassian JIRA (v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]