OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: STIX Incident Extension Update

During the STIX working call on Tuesday the following changes were made to the 
STIX Incident extension.  To ensure we continue to meet the needs of the wider 
community please provide any feedback or concerns prior to these changes being 
pushed to GitHub with a new version of this extension.  The following have 
changed since the TC last reviewed it:

1. No merger between the attacker and defender activities. They will stay 
separate.
2. Defender Activity
    1. Added optional sequence information similar to attacker activities
    2. Added as required property outcome
    3. Removed is_projection as having an outcome be "pending" or "ongoing" 
with normative text explaining that if they are the outcome is either of these 
sta
    4. timestamp and timestamp_fidelity removed (previously required)
    5. start_time, start_time_fidelity , end_time, and end_time_fidelity all 
added as optional mirroring attacker activity
3. External Impacts - Changed from a list of strings to a list of objects 
where each object has the following properties
    1. impact_type (required) - String from an open vocab for the general type 
of impact for example public-health or public-safety
    2. criticality (optional) - Number that is between 0 to 100 using the same 
criticality scale as the incident extension in Appendix A
    3. description (optional) - Additional details about the impact
    4. impacted_refs (optional) - A list of impacted identities or 
infrastructure
4. Activity Outcome enum (used by attacker and defender activity) is now
    1. blocked - The activity was prevented because of some sort of 
affirmative action
    2. ongoing (new) - The activity is still occurring.
    3. failed - The activity failed
    4. occurred (new) - The activity took place but not due to any deliberate 
human action or activity. For example there was a fire in a building because 
of an accident or lightning strike.
    5. pending (new) - The activity has not yet been started or observed, but 
it is projected or otherwise planned.
    6. successful - The activity was successful
    7. unknown - The outcome of the activity is not yet known

The full working document can be found here - 
https://docs.google.com/document/d/1Isxk2VVDmgMOi-1GjC4fsraKJMnwN9_ad8Z8UKsySQw

//SIGNED//

Jeffrey Mates, Civ DC3/TSD
Computer Scientist
Technical Solutions Development
jeffrey.mates@us.af.mil
410-694-4335

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]