-
Notifications
You must be signed in to change notification settings - Fork 33
/
incident.cljc
107 lines (94 loc) · 4.05 KB
/
incident.cljc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
(ns ctim.schemas.incident
(:require [ctim.schemas.common :as c]
[ctim.schemas.relationship :as rel]
[ctim.schemas.vocabularies :as v]
#?(:clj [flanders.core :as f :refer [def-entity-type def-map-type def-eq]]
:cljs [flanders.core :as f :refer-macros [def-entity-type def-map-type def-eq]])
#?(:clj [clojure.test.check.generators :as gen])))
(def-map-type IncidentTime
(concat
(f/required-entries
(f/entry :opened c/Time
:description "Time the incident was first opened."))
(f/optional-entries
(f/entry :discovered c/Time
:description "Time the incident was first discovered.")
(f/entry :reported c/Time
:description "Time the incident was first reported.")
(f/entry :remediated c/Time
:description "Time that the remediation of the damage from the incident was completed.")
(f/entry :closed c/Time
:description "Time that the incident was last closed.")
(f/entry :rejected c/Time
:description "Time that the incident was first rejected."))))
(def type-identifier "incident")
(def-eq IncidentTypeIdentifier type-identifier)
(def incident-desc
"Information about computer security incident response. A computer security
incident is a violation or imminent threat of violation of computer
security policies, acceptable use policies, or standard security practices.
Incidents pertain to one or more *adverse events*, each of which is modeled
as a [sighting](sighting.md).")
(def incident-desc-link
"[NIST Computer Security Incident Handling Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf)")
(def sample-score-types
#{:ttp
:global
:asset})
(defn valid-score?
[score]
(<= 0 score))
(def ScoreType
(f/enum sample-score-types
:open? true))
(def Score
(f/num
:description "a non-negative score number"
:spec valid-score?
#?@(:clj [:gen (gen/double* {:min 0 :NaN? false :infinite? false})])))
(def-map-type IncidentScores
(f/optional-entries
(f/entry ScoreType Score
:description "A map of scores.")))
(def-entity-type Incident
{:description incident-desc}
c/base-entity-entries
c/describable-entity-entries
c/sourcable-object-entries
(f/required-entries
(f/entry :type IncidentTypeIdentifier)
(f/entry :confidence v/HighMedLow
:description (str "level of confidence held in the characterization "
"of this Incident"))
(f/entry :status v/Status
:description "current status of the incident")
(f/entry :incident_time IncidentTime
:comment "Was 'time'; renamed for clarity"
:description "relevant time values associated with this Incident"))
(f/optional-entries
(f/entry :scores IncidentScores
:description "the scores associated to the incident")
(f/entry :categories [v/IncidentCategory]
:description "a set of categories for this incident")
(f/entry :discovery_method v/DiscoveryMethod
:description "identifies how the incident was discovered")
(f/entry :intended_effect v/IntendedEffect
:description "specifies the suspected intended effect of this incident")
(f/entry :assignees [c/ShortString]
:description "a set of owners assigned to this incident")
(f/entry :promotion_method v/PromotionMethod
:description "identifies how the incident was promoted")
(f/entry :severity v/Severity
:description "specifies the severity level of an Incident")
(f/entry :tactics [c/ShortString]
:description "specifies the list of tactic ids (ex: mitre tactic id) of an Incident")
(f/entry :techniques [c/ShortString]
:description "specifies the list of technique ids (ex: mitre technique id) of an Incident")))
(def-entity-type NewIncident
"For submitting a new Incident"
(:entries Incident)
c/base-new-entity-entries
(f/optional-entries
(f/entry :type IncidentTypeIdentifier)))
(def IncidentRef
(c/ref-for-type type-identifier))