Making Security Measurable › CybOX Discussion List Archive

[cti-users] Need Examples of stix components

Classic

List

Threaded

4 messages Options

sri devi

[cti-users] Need Examples of stix components

Hi,

Need examples with clarity to the below component attributes.

Indicator:
----------
Attributes:
----------
Composite_indicator_Expression
Kill_Chain_Phases
Handling
Related_Indicators
Related_compaigns
Related_pckages

Need clarity of above attributes of Indicator with Examples.

Incident
--------
Attributes
----------
Investigation
Exercise/Network Defence testing
ordinality
Structuring_format
Attributed_Thread_Actors
Intended_Effect
Related_incidents

Need clarity of above attributes of Incident with Examples.

Observable
-----------
Attributes
-----------
Keywords
Observable_Composition
Pattern_Fidelity

Need clarity of above attributes of Observable with Examples.

TTP
----
Attributes
-----------

Handling
Kill_Chains
Kill_Chain_Phases
Exploit_Targets

Need clarity of above attributes of TTP with Examples.

Exploit_Targets
----------------
Attributes
-----------
Handling
Related_exploit_target
Configuration
Potential_COAs

Need clarity of above attributes of Exploit_Targets with Examples.

Course_Of_Action
----------------
Attributes
----------
Related_COAs
Efficacy

Need clarity of above attributes of Course_Of_Action with Examples.

Campaign
---------
Attributes
-----------
Intended_Effect
Related_Indicators
Related_incidents
Attribution
Associated_Campaign
Handling

Need clarity of above attributes of Campaign with Examples.

Threat_Actor
-------------
attributes
----------
Identity
Motivation
Sophistication
Planning_And_Operational_support
Handling

Need clarity of above attributes of Threat_Actor with Examples.

--

thank you....

Mark Clancy

Re: [cti-users] Need Examples of stix components

So I don't have such an all in STIX document handy, but it seems like a really good idea to make one. This also goes to another need which is the 'usage' convention side of what does well crafted STIX actually look like for a sample. I would suggest this is a worthwhile effort for the group and we should include it with the documentation set.

I am hoping that the folks at MITRE already have such an all encompassing sample document.

-Mark

Mark Clancy

Chief Executive Officer

SOLTRA | An FS-ISAC and DTCC Company

+1.813.470.2400 office | +1.610.659.6671 US mobile | +44 7823 626 535 UK mobile

[hidden email] | soltra.com

One organization's incident becomes everyone's defense.

From: [hidden email] <[hidden email]> on behalf of sri devi <[hidden email]>
Sent: Wednesday, October 7, 2015 4:10 AM
To: [hidden email]
Subject: [cti-users] Need Examples of stix components

Hi,

Need examples with clarity to the below component attributes.

thank you....

Wunder, John A.

Re: [cti-users] Need Examples of stix components

In reply to this post by sri devi

I would take a look at the examples and concept documentation on the STIX website:

- http://stixproject.github.io/documentation/idioms/

- http://stixproject.github.io/documentation/concepts

We don’t yet have examples for everything, but when in doubt use the data model docs to at least get the documentation (search box in the top right, search for “Incident”).

John

On Oct 7, 2015, at 4:10 AM, sri devi <[hidden email]> wrote:

Hi,

Need examples with clarity to the below component attributes.

Indicator:
----------
Attributes:
----------
Composite_indicator_Expression
Kill_Chain_Phases
Handling
Related_Indicators
Related_compaigns
Related_pckages

Need clarity of above attributes of Indicator with Examples.

Incident
--------
Attributes
----------
Investigation
Exercise/Network Defence testing
ordinality
Structuring_format
Attributed_Thread_Actors
Intended_Effect
Related_incidents

Need clarity of above attributes of Incident with Examples.

Observable
-----------
Attributes
-----------
Keywords
Observable_Composition
Pattern_Fidelity

Need clarity of above attributes of Observable with Examples.

TTP
----
Attributes
-----------

Handling
Kill_Chains
Kill_Chain_Phases
Exploit_Targets

Need clarity of above attributes of TTP with Examples.

Exploit_Targets
----------------
Attributes
-----------
Handling
Related_exploit_target
Configuration
Potential_COAs

Need clarity of above attributes of Exploit_Targets with Examples.

Course_Of_Action
----------------
Attributes
----------
Related_COAs
Efficacy

Need clarity of above attributes of Course_Of_Action with Examples.

Campaign
---------
Attributes
-----------
Intended_Effect
Related_Indicators
Related_incidents
Attribution
Associated_Campaign
Handling

Need clarity of above attributes of Campaign with Examples.

Threat_Actor
-------------
attributes
----------
Identity
Motivation
Sophistication
Planning_And_Operational_support
Handling

Need clarity of above attributes of Threat_Actor with Examples.

--

thank you....

John Anderson

Re: [cti-users] Need Examples of stix components

+1 for expanding the Idioms document.

STIX/CybOX are extremely flexible. This means that sometimes the same high-level concept can be expressed in multiple ways. I'm looking for pragmatic "best practices" for expressing common high-level concepts (for which "idiom" is truly a perfect word).

This would be very valuable to newcomers to CTI (like myself).

Thanks,

JSA

From: [hidden email] <[hidden email]> on behalf of Wunder, John A. <[hidden email]>
Sent: Wednesday, October 7, 2015 9:53 AM
To: sri devi
Cc: [hidden email]
Subject: Re: [cti-users] Need Examples of stix components

I would take a look at the examples and concept documentation on the STIX website:

- http://stixproject.github.io/documentation/idioms/

- http://stixproject.github.io/documentation/concepts

We don’t yet have examples for everything, but when in doubt use the data model docs to at least get the documentation (search box in the top right, search for “Incident”).

John

On Oct 7, 2015, at 4:10 AM, sri devi <[hidden email]> wrote:

Hi,

Need examples with clarity to the below component attributes.

Indicator:
----------
Attributes:
----------
Composite_indicator_Expression
Kill_Chain_Phases
Handling
Related_Indicators
Related_compaigns
Related_pckages

Need clarity of above attributes of Indicator with Examples.

Incident
--------
Attributes
----------
Investigation
Exercise/Network Defence testing
ordinality
Structuring_format
Attributed_Thread_Actors
Intended_Effect
Related_incidents

Need clarity of above attributes of Incident with Examples.

Observable
-----------
Attributes
-----------
Keywords
Observable_Composition
Pattern_Fidelity

Need clarity of above attributes of Observable with Examples.

TTP
----
Attributes
-----------

Handling
Kill_Chains
Kill_Chain_Phases
Exploit_Targets

Need clarity of above attributes of TTP with Examples.

Exploit_Targets
----------------
Attributes
-----------
Handling
Related_exploit_target
Configuration
Potential_COAs

Need clarity of above attributes of Exploit_Targets with Examples.

Course_Of_Action
----------------
Attributes
----------
Related_COAs
Efficacy

Need clarity of above attributes of Course_Of_Action with Examples.

Campaign
---------
Attributes
-----------
Intended_Effect
Related_Indicators
Related_incidents
Attribution
Associated_Campaign
Handling

Need clarity of above attributes of Campaign with Examples.

Threat_Actor
-------------
attributes
----------
Identity
Motivation
Sophistication
Planning_And_Operational_support
Handling

Need clarity of above attributes of Threat_Actor with Examples.

--

thank you....