[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: STIX Incident Extension Rework - Naming Fun
For anyone who hasn't been tracking the ongoing work on the 2.0 version of the Incident extension we are now looking to break it into three separate extensions. One of which we are seeker broader input before we decide what to name it. These extension are: 1. Incident Core - A property extension on the Incident SDO 2. Impact - An SDO extension 3. Unnamed - An SDO extension that has been created by moving the Attacker and Defender activities from the 1.0 Incident Core into its own SDO. Currently there are several proposed names for it as well as its current placeholder. Names: 1. incident-activity: The current placeholder, but it's possible to have one of these SDOs without an incident so it seems too specific 2. activity: Does this risk overlap or confusion with other areas? 3. event: Concerns were raised that this language biases against recorder defender actions. 4. action: Reasonably neutral, but we do have some deviations from the unified cyber ontology's actions. These are fairly minor however. The current documentation for the as of yet not properly named SDO can be found on GitHub https://github.com/dod-cyber-crime-center/cti-stix-common-objects/blob/incid ent_rework/extension-definition-specifications/incident-activity/Incident%20 Activity%20Extension.adoc. Incidents can store an ordered list of these. This branch also has information about the Incident Core and Impact extensions if you want to go up a folder to see how they connect to each other. //SIGNED// Jeffrey Mates, Civ DC3/TSD Computer Scientist Technical Solutions Development jeffrey.mates@us.af.mil 410-694-4335
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]