Hi, Indicator: ---------- Attributes: ---------- Composite_indicator_Expression Kill_Chain_Phases Handling Related_Indicators Related_compaigns Related_pckages Need clarity of above attributes of Indicator with Examples. Incident -------- Attributes ---------- Investigation Exercise/Network Defence testing ordinality Structuring_format Attributed_Thread_Actors Intended_Effect Related_incidents Need clarity of above attributes of Incident with Examples. Observable ----------- Attributes ----------- Keywords Observable_Composition Pattern_Fidelity Need clarity of above attributes of Observable with Examples. TTP ---- Attributes ----------- Handling Kill_Chains Kill_Chain_Phases Exploit_Targets Need clarity of above attributes of TTP with Examples. Exploit_Targets ---------------- Attributes ----------- Handling Related_exploit_target Configuration Potential_COAs Need clarity of above attributes of Exploit_Targets with Examples. Course_Of_Action ---------------- Attributes ---------- Related_COAs Efficacy Need clarity of above attributes of Course_Of_Action with Examples. Campaign --------- Attributes ----------- Intended_Effect Related_Indicators Related_incidents Attribution Associated_Campaign Handling Need clarity of above attributes of Campaign with Examples. Threat_Actor ------------- attributes ---------- Identity Motivation Sophistication Planning_And_Operational_support Handling Need clarity of above attributes of Threat_Actor with Examples. -- thank you....
|
So I don't have such an all in STIX document handy, but it seems like a really good idea to make one. This also goes to another need which is the 'usage' convention side of what does well crafted STIX actually look like for a sample. I would suggest this is a worthwhile effort for the group and we should include it with the documentation set.
I am hoping that the folks at MITRE already have such an all encompassing sample document.
-Mark
Mark Clancy
Chief Executive Officer
SOLTRA
|
An FS-ISAC and DTCC Company
+1.813.470.2400
office
|
+1.610.659.6671 US mobile
| +44 7823 626 535 UK mobile
[hidden email]
| soltra.com
One organization's incident becomes everyone's defense.
From: [hidden email] <[hidden email]> on behalf of sri devi <[hidden email]>
Sent: Wednesday, October 7, 2015 4:10 AM To: [hidden email] Subject: [cti-users] Need Examples of stix components Hi, Indicator:
---------- Attributes: ---------- Composite_indicator_Expression Kill_Chain_Phases Handling Related_Indicators Related_compaigns Related_pckages Need clarity of above attributes of Indicator with Examples. Incident -------- Attributes ---------- Investigation Exercise/Network Defence testing ordinality Structuring_format Attributed_Thread_Actors Intended_Effect Related_incidents Need clarity of above attributes of Incident with Examples. Observable ----------- Attributes ----------- Keywords Observable_Composition Pattern_Fidelity Need clarity of above attributes of Observable with Examples. TTP ---- Attributes ----------- Handling Kill_Chains Kill_Chain_Phases Exploit_Targets Need clarity of above attributes of TTP with Examples. Exploit_Targets ---------------- Attributes ----------- Handling Related_exploit_target Configuration Potential_COAs Need clarity of above attributes of Exploit_Targets with Examples. Course_Of_Action ---------------- Attributes ---------- Related_COAs Efficacy Need clarity of above attributes of Course_Of_Action with Examples. Campaign --------- Attributes ----------- Intended_Effect Related_Indicators Related_incidents Attribution Associated_Campaign Handling Need clarity of above attributes of Campaign with Examples. Threat_Actor ------------- attributes ---------- Identity Motivation Sophistication Planning_And_Operational_support Handling Need clarity of above attributes of Threat_Actor with Examples. -- thank you....
|
In reply to this post by sri devi
I would take a look at the examples and concept documentation on the STIX website:
We don’t yet have examples for everything, but when in doubt use the data model docs to at least get the documentation (search box in the top right, search for “Incident”).
John
|
+1 for expanding the Idioms document.
STIX/CybOX are extremely flexible. This means that sometimes the same high-level concept can be expressed in multiple ways. I'm looking for pragmatic "best practices" for expressing common high-level concepts (for which "idiom" is truly a perfect word).
This would be very valuable to newcomers to CTI (like myself).
Thanks, JSA From: [hidden email] <[hidden email]> on behalf of Wunder, John A. <[hidden email]>
Sent: Wednesday, October 7, 2015 9:53 AM To: sri devi Cc: [hidden email] Subject: Re: [cti-users] Need Examples of stix components I would take a look at the examples and concept documentation on the STIX website:
We don’t yet have examples for everything, but when in doubt use the data model docs to at least get the documentation (search box in the top right, search for “Incident”).
John
|
Free forum by Nabble | Edit this page |