Please review and provide any corrections or feedback before we finalize the notes from the meeting below.
DRAFT NOTES June 9, 2023 – 9am Eastern
- Jeffrey Mates got all the hyperlinks working in the document. Incident core extension version.
- We pointed out there is more than one incident type that works (e.g., indicator & attack pattern). Consensus is to keep both and add some descriptions for the consumer.
- We went through Wakand Int’l Expo Breach hypo
- Some expressed they are in favor of custom Attack patterns as a way to flag potential gaps. We will try to also add Kill chain as appropriate.
- Subevents are used to show component relations
- We looked at incident indicators
- Embedded vs External – we want to strive for consistency; we are not preventing eternal relationships and it could be done differently with different results. We want to provide guideance
on what to use and document use cases for external relationships.
- Jeff is putting the technical event flow into Stix for next week
- Questions came up on how to convert from MISP to Stix and back. Is it possible to have a generic approach? Transforming events and incidents. We will look at specifics and then more
of a deep dive into usage and objects.
Jonathan Matkowsky
he/him
Principal Researcher
Microsoft Security