Incident Extension Rework #33
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 11 commits
April 10, 2023 19:34
…ng a 2.0 draft that includes all three in separate extensions. Began rework on JSON schema and examples, but most examples are not updated.
…lock. Moved references incidents, impacts and activities to the incident and made a new activity sequence type to track this.
…ent examples are still pending update
…emplate_refs from tasks. Added superseded and sequence options for impacts. Reworked incident_indicators example to use the new format and to add a wrapper report.
… into the new format with a sample of a playbook execution.
…he entire suite. Moved related extensions under the same folder. Added conversion time for monetary impact. Reworked how event / task sequences work and began updating examples.
…elated objects. Removed pattern_refs from event objects in favor of these being connected through sighting_refs. All type references are now links within the adoc file.
…ter the most recent update
…hains. Reworked all previous examples for the new schema. Updated the contributors list to reflect participation in the CTI-TC working group.
adulau
reviewed
Jun 19, 2023
| @@ -891,6 +896,10 @@ This list *MUST* not contain cycles. | |||
|
|
|||
| // tag::task-relationships[] | |||
|
|
|||
| When creating sequences of [stixtype]#<<task,tasks>># these *SHOULD NOT* be shared using relationship objects. | |||
There was a problem hiding this comment.
Just to be sure it was intended, it leaves the option open to use relationships type as a SHOULD specified.
There was a problem hiding this comment.
During the last call, we need to check if the extension best practices allow to enforce a direction concerning relationships.
|
Maybe an additional minor point, concerning Update: Following the latest call, the description for |
added 5 commits
June 22, 2023 17:18
…d per oasis-open#33 (comment). Added several detection methods to the open vocabulary.
…n favor of 'confirmed' due to changes in incident usage with the introduction of Events. Create a new ransomware example. Added new values within open vocabs and other editorial corrections.
…adding relationships between reports and incidents in some examples to make it clear this explicit linkage can help tools understanding the primary subject of an incident report.
|
Thank you for this incredible work, @dc3-tsd |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reworking the Core Incident Extension 1.0 into several separate extensions and documenting all of these using adoc. This branch is expected to undergo changes based on reviews and feedback by the TC as well as interested contributors and reviewers on GitHub. Many of the examples are currently incorrect and do not match the JSON schemas as these components continue to be reworked.