New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incident Extension Rework #33
Incident Extension Rework #33
Conversation
…ng a 2.0 draft that includes all three in separate extensions. Began rework on JSON schema and examples, but most examples are not updated.
…lock. Moved references incidents, impacts and activities to the incident and made a new activity sequence type to track this.
…ent examples are still pending update
…emplate_refs from tasks. Added superseded and sequence options for impacts. Reworked incident_indicators example to use the new format and to add a wrapper report.
… into the new format with a sample of a playbook execution.
…he entire suite. Moved related extensions under the same folder. Added conversion time for monetary impact. Reworked how event / task sequences work and began updating examples.
…elated objects. Removed pattern_refs from event objects in favor of these being connected through sighting_refs. All type references are now links within the adoc file.
…ter the most recent update
…hains. Reworked all previous examples for the new schema. Updated the contributors list to reflect participation in the CTI-TC working group.
@@ -891,6 +896,10 @@ This list *MUST* not contain cycles. | |||
|
|||
// tag::task-relationships[] | |||
|
|||
When creating sequences of [stixtype]#<<task,tasks>># these *SHOULD NOT* be shared using relationship objects. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to be sure it was intended, it leaves the option open to use relationships type as a SHOULD specified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
During the last call, we need to check if the extension best practices allow to enforce a direction concerning relationships.
Maybe an additional minor point, concerning Update: Following the latest call, the description for |
…d per oasis-open#33 (comment). Added several detection methods to the open vocabulary.
…n favor of 'confirmed' due to changes in incident usage with the introduction of Events. Create a new ransomware example. Added new values within open vocabs and other editorial corrections.
…adding relationships between reports and incidents in some examples to make it clear this explicit linkage can help tools understanding the primary subject of an incident report.
Thank you for this incredible work, @dc3-tsd |
Reworking the Core Incident Extension 1.0 into several separate extensions and documenting all of these using adoc. This branch is expected to undergo changes based on reviews and feedback by the TC as well as interested contributors and reviewers on GitHub. Many of the examples are currently incorrect and do not match the JSON schemas as these components continue to be reworked.