While Iâm very much in favor of creating an Incident object, I am concerned that generating a stub and having everyone put different things to do it may do us more harm than good as I imagine we are all looking at structuring it very differently.
Â
I have attached a draft that I have been working on along with samples of it in use to illustrate just how divergent thoughts on this may be. I know that working through what I have now has certainly run into challenges as balancing current and future needs across multiple systems is extremely challenging which is why I have not put forward much so far on this.
Â
While I am certainly happy to discuss the stub proposal and various potential incidents proposals on the working call I expect that reaching consensus is going to be a challenge.
Â
//SIGNED//
Â
Jeffrey Mates, Civ DC3/TSD
Computer Scientist
Technical Solutions Development
410-694-4335
Â
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of Rich Piazza
Sent: Friday, November 13, 2020 2:16 PM
To: cti@lists.oasis-open.org
Subject: [Non-DoD Source] [cti] Adding an Incident SDO stub to 2.1Â
The editors would like to propose an addition to the specification, suggested by Paul Patrick.
Â
Many in the community have commented about the lack of an Incident SDO in STIX 2.1. This has caused them to define their own, as a custom object. With the inclusion of the STIX extension facility into the specification, it has been suggested that the 2.1 spec includes a âstubâ for Incident. This âstubâ would act as a placeholder, from which the members of the community could base the extensions for their Incident content. The text added to the specification to define the Incident SDO would be minimal â similar to the stub for the Course of Action.Â
Â
Please respond if you feel this addition to the specification should not happen. If there is any objections, we can discuss them on the next weekâs call.
Â
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Rich P.
Â
--Â
Rich Piazza
Lead Cyber Security Engineer
The MITRE Corporation
781-271-3760
Â
Â
Â
Â
Â
