[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: STIX Incident Extension Update
During the STIX working call on Tuesday the following changes were made to the STIX Incident extension. To ensure we continue to meet the needs of the wider community please provide any feedback or concerns prior to these changes being pushed to GitHub with a new version of this extension. The following have changed since the TC last reviewed it: 1. No merger between the attacker and defender activities. They will stay separate. 2. Defender Activity 1. Added optional sequence information similar to attacker activities 2. Added as required property outcome 3. Removed is_projection as having an outcome be "pending" or "ongoing" with normative text explaining that if they are the outcome is either of these sta 4. timestamp and timestamp_fidelity removed (previously required) 5. start_time, start_time_fidelity , end_time, and end_time_fidelity all added as optional mirroring attacker activity 3. External Impacts - Changed from a list of strings to a list of objects where each object has the following properties 1. impact_type (required) - String from an open vocab for the general type of impact for example public-health or public-safety 2. criticality (optional) - Number that is between 0 to 100 using the same criticality scale as the incident extension in Appendix A 3. description (optional) - Additional details about the impact 4. impacted_refs (optional) - A list of impacted identities or infrastructure 4. Activity Outcome enum (used by attacker and defender activity) is now 1. blocked - The activity was prevented because of some sort of affirmative action 2. ongoing (new) - The activity is still occurring. 3. failed - The activity failed 4. occurred (new) - The activity took place but not due to any deliberate human action or activity. For example there was a fire in a building because of an accident or lightning strike. 5. pending (new) - The activity has not yet been started or observed, but it is projected or otherwise planned. 6. successful - The activity was successful 7. unknown - The outcome of the activity is not yet known The full working document can be found here - https://docs.google.com/document/d/1Isxk2VVDmgMOi-1GjC4fsraKJMnwN9_ad8Z8UKsySQw //SIGNED// Jeffrey Mates, Civ DC3/TSD Computer Scientist Technical Solutions Development jeffrey.mates@us.af.mil 410-694-4335
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]