OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] [OASIS Issue Tracker] (CTI-1) Incident/Event


My apologies – I did not realize this was spamming the CTI TC list.

My activity here is to get stuff from GitHub into Jira, with the intent of evaluating whether or not I want to propose that we use Jira. I will not make any more modifications until the auto-email is turned off.

Thank you.
-Mark

On 11/13/17, 10:13 AM, "cti@lists.oasis-open.org on behalf of OASIS Issues Tracker" <cti@lists.oasis-open.org on behalf of workgroup_mailer@lists.oasis-open.org> wrote:


         [ https://issues.oasis-open.org/browse/CTI-1?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

    Mark Davidson updated CTI-1:
    ----------------------------

        Description:
    The development of one or more SDOs to capture incident and event information.

    Work area: Working Concepts (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q)

    ## Scope

    The capture of information related to internal security events, internal security incidents, and external security-relevant events.

    ## Examples

    * A malware infection on an internal laptop
    * Tracking an incident response to an APT intrusion
    * A threat actor changes a C2 domain
    * Reporting an incident to a third-party, such as US-CERT or DC3
    * Public incident repositories, such as VERIS

    ## Open Questions

     1. Is there a single SDO to capture both incident and event information?
     2. If so, how is the status "incident" captured?
     3. Do you need to distinguish between internal, security-relevant events and external information?
     4. How do you track workflow/timestamps?
     5. How do you track POCs?
     6. How is it related to observed data?

      was:
    The development of one or more SDOs to capture incident and event information.

    Work area: Working Concepts (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q)

    ## Scope

    The capture of information related to internal security events, internal security incidents, and external security-relevant events.

    Examples

    A malware infection on an internal laptop
    Tracking an incident response to an APT intrusion
    A threat actor changes a C2 domain
    Reporting an incident to a third-party, such as US-CERT or DC3
    Public incident repositories, such as VERIS
    Open Questions

     Is there a single SDO to capture both incident and event information?
     If so, how is the status "incident" captured?
     Do you need to distinguish between internal, security-relevant events and external information?
     How do you track workflow/timestamps?
     How do you track POCs?
     How is it related to observed data?


    > Incident/Event
    > --------------
    >
    >                 Key: CTI-1
    >                 URL: https://issues.oasis-open.org/browse/CTI-1
    >             Project: OASIS Cyber Threat Intelligence (CTI) TC
    >          Issue Type: New Feature
    >          Components: STIX
    >            Reporter: Mark Davidson
    >             Fix For: STIX 2.1
    >
    >
    > The development of one or more SDOs to capture incident and event information.
    > Work area: Working Concepts (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q)
    > ## Scope
    > The capture of information related to internal security events, internal security incidents, and external security-relevant events.
    > ## Examples
    > * A malware infection on an internal laptop
    > * Tracking an incident response to an APT intrusion
    > * A threat actor changes a C2 domain
    > * Reporting an incident to a third-party, such as US-CERT or DC3
    > * Public incident repositories, such as VERIS
    > ## Open Questions
    >  1. Is there a single SDO to capture both incident and event information?
    >  2. If so, how is the status "incident" captured?
    >  3. Do you need to distinguish between internal, security-relevant events and external information?
    >  4. How do you track workflow/timestamps?
    >  5. How do you track POCs?
    >  6. How is it related to observed data?



    --
    This message was sent by Atlassian JIRA
    (v6.2.2#6258)

    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt from disclosure under applicable law. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message. If you have received this communication in error, please notify the sender and destroy and delete any copies you may have received.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]