The development of one or more SDOs to capture incident and event information.
Work area: Working Concepts (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q)
-
- Scope
The capture of information related to internal security events, internal security incidents, and external security-relevant events.
-
- Examples
- A malware infection on an internal laptop
- Tracking an incident response to an APT intrusion
- A threat actor changes a C2 domain
- Reporting an incident to a third-party, such as US-CERT or DC3
- Public incident repositories, such as VERIS
-
- Open Questions
1. Is there a single SDO to capture both incident and event information?
2. If so, how is the status "incident" captured?
3. Do you need to distinguish between internal, security-relevant events and external information?
4. How do you track workflow/timestamps?
5. How do you track POCs?
6. How is it related to observed data?