Uploaded image for project: 'OASIS Cyber Threat Intelligence (CTI) TC'
  1. OASIS Cyber Threat Intelligence (CTI) TC
  2. CTI-1

Incident/Event

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: STIX 2.1
    • Component/s: STIX
    • Labels:
      None

      Description

      The development of one or more SDOs to capture incident and event information.

      Work area: Working Concepts (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q)

        1. Scope

      The capture of information related to internal security events, internal security incidents, and external security-relevant events.

        1. Examples
      • A malware infection on an internal laptop
      • Tracking an incident response to an APT intrusion
      • A threat actor changes a C2 domain
      • Reporting an incident to a third-party, such as US-CERT or DC3
      • Public incident repositories, such as VERIS
        1. Open Questions

      1. Is there a single SDO to capture both incident and event information?
      2. If so, how is the status "incident" captured?
      3. Do you need to distinguish between internal, security-relevant events and external information?
      4. How do you track workflow/timestamps?
      5. How do you track POCs?
      6. How is it related to observed data?

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mark.davidson Mark Davidson [X] (Inactive)
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: