From 71b3171d93bf6889e6b60d8a29c9b174fdf1d693 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Fri, 21 Jun 2024 13:47:45 -0400 Subject: [PATCH 01/23] added Sequence section --- .../Incident Extension Suite.adoc | 99 +++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 5cea1478faf..09686fb6bdf 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -1171,7 +1171,106 @@ include::examples/example_2.4.json[] ---- <<< +<<< +[[sequence]] +=== 2.5. Sequence +The Python class name is [stixliteral]#Sequence#. + +[width="100%",cols="100%",stripes=odd] +|=== +^|[stixtr]*Required Common Properties* +|*created*, +*id*, +*modified*, +*spec_version*, +*type* + +^|[stixtr]*Optional Common Properties* + +|*created_by_ref*, +*revoked*, +*labels*, +*confidence*, +*lang*, +*external_references*, +*object_marking_refs*, +*granular_markings*, +*extensions* + +^|[stixtr]*Not Applicable Common Properties* + +|*defanged* + +^|[stixtr]*Sequence Object Specific Properties* + +|*sequenced_object*, +*sequence_type*, +*step_type*, +*on_completion*, +*on_success*, +*on_failure*, +*next_steps* +|=== + +|=== +^|[stixtr]*Property Name* ^|[stixtr]*Type* ^|[stixtr]*Description* + +|*type* (required) +|[stixtype]#{string_url}[string]# +|The value of this property *MUST* be set to [stixliteral]#sequence#. +|*step_type* (required) +|[stixtype]#<># +|The type of step, *MUST* be one of [stixliteral]#(start_step, end_step, single_step, parallel_step)# + +|*sequence_type* (required) +|[stixtype]#{string_url}[string]# +|The type of sequence, *MUST* be [stixliteral]#(event or task)# + +|*sequenced_object* (optional) +|[stixtype]#{identifier_url}[identifier]# +|The SDO that is part of the sequence, *MUST* be of type [stixtype]#event# or [stixtype]#task#. + +|*on_completion* (optional) +|[stixtype]#{identifier_url}[identifier]# +|The [stixtype]#sequence# object to follow, *MUST* be of type [stixtype]#sequence# + + +|*on_success* (optional) +|[stixtype]#{identifier_url}[identifier]# +|The [stixtype]#sequence# object to follow, *MUST* be of type [stixtype]#sequence# + + +|*on_failure* (optional) +|[stixtype]#{identifier_url}[identifier]# +|The [stixtype]#sequence# object to follow, *MUST* be of type [stixtype]#sequence# + + +|*next_steps* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# +|The [stixtype]#sequence# objects to follow, *MUST* be of type [stixtype]#sequence# + + +|=== + + + +==== 2.5.1 Sequence Extension Definition +The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c79-1961-43db-afde-637066a87a64# as its extension ID. The Python class name is [stixliteral]#SequenceExt#. + +[width="100%",cols="37%,23%,40%",options="header",] +|=== +^|[stixtr]*Property Name* +^|[stixtr]*Type* +^|[stixtr]*Description* + +|*extension_type* (required) +|[stixtype]#{string_url}[string]# +|The value of this property *MUST* be [stixliteral]#new-sdo# + +|=== + +<<< == 3. Additional Sub-Objects Types <<< From 9b98a16f046c5e592ebcd7914b60eead70fcf158 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Fri, 21 Jun 2024 14:42:55 -0400 Subject: [PATCH 02/23] remove event_entry, task_entry, etc --- .../Incident Extension Suite.adoc | 196 ++---------------- 1 file changed, 19 insertions(+), 177 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 09686fb6bdf..24d4d9ebb23 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -138,9 +138,10 @@ If present, this value *MUST* be an integer between 0 and 100. This can be trans These values *SHOULD* be selected from the [stixtype]#<># open vocabulary. -|*events* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#<># -|A list of events (as a list of [stixtype]#<>#) tied to this incident. +|*event_refs* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# +|A list of events tied to this incident. +It *MUST* contain references to one or more Event objects. |*impact_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# @@ -173,9 +174,21 @@ enumeration. |[stixtype]#{list_url}[list]# of type [stixtype]#<># |A list of scores from various automated or manual mechanisms along with optional descriptions. -|*tasks* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#<># -|A list of tasks (as a list of [stixtype]#<>#) tied to this incident. +|*sequence_refs* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# +|A list of Sequence Start objects tied to this incident. +It *MUST* contain references only to Sequence objects. + +|*sequence_start_refs* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# +|A list of ence objects tied to this incident. +It *MUST* contain references only to Sequence objects, where the step_type property is set to [stixliteral]#start_step#. + +|*task_refs* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# +|A list of tasks tied to this incident. +It *MUST* contain references to one or more Task objects. + |=== @@ -1316,91 +1329,6 @@ _0 individuals_ <<< -[[event-sequence-entry]] -=== 3.2. Event Sequence Object Type - -Event sequence entries store references to subsequent steps for an event entry. -As these are always stored in an list of steps within an array of list entries, validation rules for *event_ref* *MUST* be performed against the entire array of event entries. - - -*Type Name:* [stixtype]#event-sequence-entry# - -[width="100%",cols="37%,23%,40%",options="header",] -|=== -^|[stixtr]*Property Name* -^|[stixtr]*Type* -^|[stixtr]*Description* - -|*event_ref* (required) -|[stixtype]#{identifier_url}[identifier]# -|The identifier of the event that is described by this entry. - -This reference *MUST* be included as an *event_ref* within the parent array of [stixtype]#<># objects. - -|*condition_type* (required) -|[stixtype]#<># -|If the referenced step required the current one to be successful. -If it is optional, or if it is unknown. - -The values of this property *MUST* come from the [stixtype]#<># enumeration. - -|*transition_type* (required) -|[stixtype]#<># -|What state the referenced step depends on. -If it is performed upon success, failure, simple completion, or if it is unknown. - -The values of this property *MUST* come from the [stixtype]#<># enumeration. - -|=== - -==== 3.2.1. Example - -[source,json] ----- -include::examples/example_3.3.json[] ----- - -<<< - -[[event-entry]] -=== 3.3. Event Entry Object Type - -*Type Name:* [stixtype]#event-entry# - -[width="100%",cols="37%,23%,40%",options="header",] -|=== -^|[stixtr]*Property Name* -^|[stixtr]*Type* -^|[stixtr]*Description* - -|*event_ref* (required) -|[stixtype]#{identifier_url}[identifier]# -|The event that is described by this entry. -This *MUST* reference an [stixtype]#<># object. - -|*next_steps* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#<># -|A list of event sequences that describes the current event flows into the next one. - -|*sequence_start* (optional) -|[stixtype]#{boolean_url}[boolean]# -|If this is a start of a sequence chain. - -All sequences of events *MUST* begin with at least one entry where *sequence_start* is set to [stixliteral]#true#. -If a cycle exists with multiple entries with *sequence_start* set to [stixliteral]#true# then all of these are equally valid start points. - -Default value is [stixliteral]#true#. - -|=== - -==== 3.3.1. Example - -[source,json] ----- -include::examples/example_3.2.json[] ----- - - [[incident-score]] === 3.4. Incident Score Object Type @@ -1486,92 +1414,6 @@ If the *initial_ref* property is populated this *MUST* reference the same type o include::examples/example_3.5.json[] ---- -<<< - -[[task-sequence-entry]] -=== 3.6. Task Sequence Object Type - -Task sequence entries store references to subsequent steps for a task entry. -As these are always stored in an list of steps within an list of task entries, validation rules for *task_ref* *MUST* be performed against the entire list of task entries. - -*Type Name:* [stixtype]#task-sequence-entry# - -[width="100%",cols="37%,23%,40%",options="header",] -|=== -^|[stixtr]*Property Name* -^|[stixtr]*Type* -^|[stixtr]*Description* - -|*condition_type* (required) -|[stixtype]#<># -|If the referenced step required the current one to be successful. -If it is optional, or if it is unknown. - -The values of this property *MUST* come from the [stixtype]#<># enumeration. - -|*task_ref* (required) -|[stixtype]#{identifier_url}[identifier]# -|The identity of the event that is described by this entry. - -This reference *MUST* be included as an *task_ref* within the parent array of [stixtype]#<># objects. - -|*transition_type* (required) -|[stixtype]#<># -|What state the referenced step depends on. -If it is performed upon success, failure, simple completion, or if it is unknown. - -The values of this property *MUST* come from the [stixtype]#<># enumeration. - -|=== - -==== 3.6.1. Example - -[source,json] ----- -include::examples/example_3.7.json[] ----- -<<< - - -[[task-entry]] -=== 3.7. Task Entry Object Type - -*Type Name:* [stixtype]#task-entry# - -[width="100%",cols="37%,23%,40%",options="header",] -|=== -^|[stixtr]*Property Name* -^|[stixtr]*Type* -^|[stixtr]*Description* - -|*task_ref* (required) -|[stixtype]#{identifier_url}[identifier]# -|The identifier of the task that is described by this entry. -This *MUST* reference a [stixtype]#<>#. - -|*next_steps* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#<># -|A list of task sequences that describes the current task flows into the next one. - -|*sequence_start* (optional) -|[stixtype]#{boolean_url}[boolean]# -|If this is a start of a sequence chain. - -All sequences of tasks *MUST* begin with at least one entry where *sequence_start* is set to [stixliteral]#true#. -If a cycle exists with multiple entries with *sequence_start* set to [stixliteral]#true# then all of these are equally valid start points. - -Default value is [stixliteral]#true#. - -|=== - -==== 3.7.1. Example - -[source,json] ----- -include::examples/example_3.6.json[] ----- - - == 4. Vocabularies [[asset-type-ov]] From 52f3307f71671d0436a7426f9a65415379de03f6 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Fri, 21 Jun 2024 14:53:55 -0400 Subject: [PATCH 03/23] fixed sequence properties in Incident --- .../incident-ef7/Incident Extension Suite.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 24d4d9ebb23..93386731e7a 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -176,13 +176,13 @@ enumeration. |*sequence_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of Sequence Start objects tied to this incident. +|A list of sequence objects tied to this Incident. It *MUST* contain references only to Sequence objects. |*sequence_start_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of ence objects tied to this incident. -It *MUST* contain references only to Sequence objects, where the step_type property is set to [stixliteral]#start_step#. +|A list of sequence start objects tied to this incident. +It *MUST* contain references only to Sequence objects where the *step_type* property is [stixliteral]#start_step#. |*task_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# From da8e9d69276ecf5985f6df309a587bb537f686cd Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Mon, 24 Jun 2024 09:54:13 -0400 Subject: [PATCH 04/23] fixed fonts --- .../incident-ef7/Incident Extension Suite.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 93386731e7a..d118dc6cb9d 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -141,7 +141,7 @@ These values *SHOULD* be selected from the [stixtype]#<># objects. |*impact_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# @@ -177,17 +177,17 @@ enumeration. |*sequence_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# |A list of sequence objects tied to this Incident. -It *MUST* contain references only to Sequence objects. +It *MUST* contain references only to [stixtype]#<># objects. |*sequence_start_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# |A list of sequence start objects tied to this incident. -It *MUST* contain references only to Sequence objects where the *step_type* property is [stixliteral]#start_step#. +It *MUST* contain references only to [stixtype]#<># objects where the *step_type* property is [stixliteral]#start_step#. |*task_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# |A list of tasks tied to this incident. -It *MUST* contain references to one or more Task objects. +It *MUST* contain references to one or more [stixtype]#<># objects. |=== From fddf37d3d056d7b5a419867450e61c22cfd34294 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Mon, 24 Jun 2024 10:32:39 -0400 Subject: [PATCH 05/23] replace sequence with step --- .../Incident Extension Suite.adoc | 108 +++++++++--------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index d118dc6cb9d..fbed66507ce 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -174,15 +174,15 @@ enumeration. |[stixtype]#{list_url}[list]# of type [stixtype]#<># |A list of scores from various automated or manual mechanisms along with optional descriptions. -|*sequence_refs* (optional) +|*step_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of sequence objects tied to this Incident. -It *MUST* contain references only to [stixtype]#<># objects. +|A list of step objects tied to this Incident. +It *MUST* contain references only to [stixtype]#<># objects. -|*sequence_start_refs* (optional) +|*step_start_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of sequence start objects tied to this incident. -It *MUST* contain references only to [stixtype]#<># objects where the *step_type* property is [stixliteral]#start_step#. +|A list of step start objects tied to this incident. +It *MUST* contain references only to [stixtype]#<># objects where the *step_type* property is [stixliteral]#start-step#. |*task_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# @@ -1185,9 +1185,23 @@ include::examples/example_2.4.json[] <<< <<< -[[sequence]] -=== 2.5. Sequence -The Python class name is [stixliteral]#Sequence#. +[[step]] +=== 2.5. Step +The Python class name is [stixliteral]#Step#. + +The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c79-1961-43db-afde-637066a87a64# as its extension ID. + +[width="100%",cols="37%,23%,40%",options="header",] +|=== +^|[stixtr]*Property Name* +^|[stixtr]*Type* +^|[stixtr]*Description* + +|*extension_type* (required) +|[stixtype]#{string_url}[string]# +|The value of this property *MUST* be [stixliteral]#new-sdo# + +|=== [width="100%",cols="100%",stripes=odd] |=== @@ -1214,15 +1228,11 @@ The Python class name is [stixliteral]#Sequence#. |*defanged* -^|[stixtr]*Sequence Object Specific Properties* +^|[stixtr]*Step Object Specific Properties* -|*sequenced_object*, -*sequence_type*, +|*step_object_ref*, *step_type*, -*on_completion*, -*on_success*, -*on_failure*, -*next_steps* +*next_step_refs* |=== |=== @@ -1230,58 +1240,26 @@ The Python class name is [stixliteral]#Sequence#. |*type* (required) |[stixtype]#{string_url}[string]# -|The value of this property *MUST* be set to [stixliteral]#sequence#. +|The value of this property *MUST* be set to [stixliteral]#step#. |*step_type* (required) |[stixtype]#<># -|The type of step, *MUST* be one of [stixliteral]#(start_step, end_step, single_step, parallel_step)# - -|*sequence_type* (required) -|[stixtype]#{string_url}[string]# -|The type of sequence, *MUST* be [stixliteral]#(event or task)# - -|*sequenced_object* (optional) -|[stixtype]#{identifier_url}[identifier]# -|The SDO that is part of the sequence, *MUST* be of type [stixtype]#event# or [stixtype]#task#. - -|*on_completion* (optional) -|[stixtype]#{identifier_url}[identifier]# -|The [stixtype]#sequence# object to follow, *MUST* be of type [stixtype]#sequence# - - -|*on_success* (optional) -|[stixtype]#{identifier_url}[identifier]# -|The [stixtype]#sequence# object to follow, *MUST* be of type [stixtype]#sequence# - +|The type of step. -|*on_failure* (optional) +|*step_object_ref* (optional) |[stixtype]#{identifier_url}[identifier]# -|The [stixtype]#sequence# object to follow, *MUST* be of type [stixtype]#sequence# +|The SDO that this step is a part. It *MUST* be of type [stixtype]#event# or [stixtype]#task#. - -|*next_steps* (optional) +|*next_step_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|The [stixtype]#sequence# objects to follow, *MUST* be of type [stixtype]#sequence# +|The [stixtype]#step# objects to follow, *MUST* be of type [stixtype]#step# |=== -==== 2.5.1 Sequence Extension Definition -The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c79-1961-43db-afde-637066a87a64# as its extension ID. The Python class name is [stixliteral]#SequenceExt#. - -[width="100%",cols="37%,23%,40%",options="header",] -|=== -^|[stixtr]*Property Name* -^|[stixtr]*Type* -^|[stixtr]*Description* - -|*extension_type* (required) -|[stixtype]#{string_url}[string]# -|The value of this property *MUST* be [stixliteral]#new-sdo# -|=== <<< == 3. Additional Sub-Objects Types @@ -2485,6 +2463,28 @@ Hours and minutes should be understood to establish the timezone for the activit |Accountability can be ensured from the traces that are present. |=== +[[step-type-enum]] +=== 5.12. Step Type Enumeration +*Type Name:* [stixtype]#step-type-enum# + +[width="100%",cols="31%,69%",options="header",] +|=== +^|[stixtr]*Vocabulary Value* +^|[stixtr]*Description* +|[stixliteral]#start_step# +|Equivalent to CACAO start_step. It has no sequenced object connected to it + +|[stixliteral]#end_step# +|Equivalent to CACAO end_step. It has no sequenced object connected to it + +|[stixliteral]#single_step# +|Equivalent to CACAO single_step. It has a sequenced object connected to it + +|[stixliteral]#parallel_step# +|Equivalent to CACAO parallel_step. It has no sequenced object connected to it +|=== + + <<< == 6. Relationship Summary Table From 8ebbf1d817b32111a29cb36ba7e625c7bcdec73c Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Mon, 24 Jun 2024 10:45:22 -0400 Subject: [PATCH 06/23] fixed syntax errors --- .../Incident Extension Suite.adoc | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index fbed66507ce..f143dc3e94f 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -404,9 +404,6 @@ This property *SHOULD* be populated. If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes. -|*subevents* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#<># -|A list of sub-events (as a list of [stixtype]#<>#) related to this event. |=== <<< @@ -1065,10 +1062,6 @@ This property *SHOULD* be populated. This value *MUST* come from [stixtype]#<># enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes. - -|*subtasks* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#<># -|A list of subtasks related to this task. |=== <<< @@ -1248,11 +1241,11 @@ The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c7 |*step_object_ref* (optional) |[stixtype]#{identifier_url}[identifier]# -|The SDO that this step is a part. It *MUST* be of type [stixtype]#event# or [stixtype]#task#. +|The SDO that this step is a part. It *MUST* be of type [stixtype]#<># or [stixtype]#<>#. |*next_step_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|The [stixtype]#step# objects to follow, *MUST* be of type [stixtype]#step# +|The [stixtype]#step# objects to follow, *MUST* be of type [stixtype]#<># |=== @@ -1308,7 +1301,7 @@ _0 individuals_ <<< [[incident-score]] -=== 3.4. Incident Score Object Type +=== 3.2. Incident Score Object Type *Type Name:* [stixtype]#incident-score# [width="100%",cols="37%,23%,40%",options="header",] @@ -1333,7 +1326,7 @@ This is normally a system or process name or some combination of these such as " |=== <<< -==== 3.4.1. Example +==== 3.2.1. Example [source,json] ---- @@ -1341,7 +1334,7 @@ include::examples/example_3.4.json[] ---- [[state-change]] -=== 3.5. State Change Object Type +=== 3.3. State Change Object Type *Type Name:* [stixtype]#state-change# @@ -1385,7 +1378,7 @@ For example, an event causing a network outage. If the *initial_ref* property is populated this *MUST* reference the same type of SDO. |=== -==== 3.5.1. Example +==== 3.3.1. Example [source,json] ---- From 769f50e7755f12d56f37ecda65334ac58b90114b Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Mon, 24 Jun 2024 10:57:35 -0400 Subject: [PATCH 07/23] additional typos --- .../incident-ef7/Incident Extension Suite.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index f143dc3e94f..c0bcb51331a 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -1180,7 +1180,7 @@ include::examples/example_2.4.json[] <<< [[step]] === 2.5. Step -The Python class name is [stixliteral]#Step#. +The Python class name is [stixliteral]#step#. The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c79-1961-43db-afde-637066a87a64# as its extension ID. @@ -1245,7 +1245,7 @@ The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c7 |*next_step_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|The [stixtype]#step# objects to follow, *MUST* be of type [stixtype]#<># +|The [stixtype]#step# objects to follow. They *MUST* be of type [stixtype]#<># |=== From 7a840681c5b78bfbd618bbd48902d23911f5d44e Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Tue, 25 Jun 2024 14:22:12 -0400 Subject: [PATCH 08/23] some fixes --- .../incident-ef7/Incident Extension Suite.adoc | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index c0bcb51331a..ebd43e8f538 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -422,8 +422,8 @@ targeting this object type from another object type. Relationships are not restricted to those listed below. Relationships can be created between any objects using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. -Sequences of [stixtype]#<># *SHOULD NOT* be shared using relationship objects. -Sequences *SHOULD* be shared within an [stixtype]#{incident_url}[incident]# or [stixtype]#<># using the *events* or *subevents* properties, respectively. +Steps of [stixtype]#<># *SHOULD NOT* be shared using relationship objects. +Steps *SHOULD* be shared within an [stixtype]#{incident_url}[incident]# or [stixtype]#<># using the *events* properties, respectively. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.) @@ -1180,7 +1180,7 @@ include::examples/example_2.4.json[] <<< [[step]] === 2.5. Step -The Python class name is [stixliteral]#step#. +Describe...is [stixliteral]#step#. The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c79-1961-43db-afde-637066a87a64# as its extension ID. @@ -1239,13 +1239,18 @@ The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c7 |[stixtype]#<># |The type of step. -|*step_object_ref* (optional) +|*step_object_ref* (required) |[stixtype]#{identifier_url}[identifier]# |The SDO that this step is a part. It *MUST* be of type [stixtype]#<># or [stixtype]#<>#. +|*description* (optional) +|[stixtype]#{string_url}[string]# +|A description of the step. + |*next_step_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# |The [stixtype]#step# objects to follow. They *MUST* be of type [stixtype]#<># +This property *MUST* be populated, unless the *step_type* is [stixliteral]#end-step#. |=== From 6b83c5b1a0c0aa50921a8febe03bcb1098f72f0c Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Tue, 25 Jun 2024 15:09:21 -0400 Subject: [PATCH 09/23] fix steps --- .../Incident Extension Suite.adoc | 84 ++++++++++++++----- 1 file changed, 61 insertions(+), 23 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index ebd43e8f538..cae0d7cf16c 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -174,16 +174,6 @@ enumeration. |[stixtype]#{list_url}[list]# of type [stixtype]#<># |A list of scores from various automated or manual mechanisms along with optional descriptions. -|*step_refs* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of step objects tied to this Incident. -It *MUST* contain references only to [stixtype]#<># objects. - -|*step_start_refs* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of step start objects tied to this incident. -It *MUST* contain references only to [stixtype]#<># objects where the *step_type* property is [stixliteral]#start-step#. - |*task_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# |A list of tasks tied to this incident. @@ -326,8 +316,9 @@ As a new SDO extension it must follow the requirements as described in section 7 *status*, *sighting_refs*, *start_time*, -*start_time_fidelity*, -*subevents* +*start_time_fidelity* +*step_refs*, +*step_start_refs* |=== |=== @@ -404,6 +395,16 @@ This property *SHOULD* be populated. If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes. +|*step_refs* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# +|A list of step objects tied to this event. +It *MUST* contain references only to [stixtype]#<># objects. + +|*step_start_refs* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# +|A list of step start objects tied to this event. +It *MUST* contain references only to [stixtype]#<># objects where the *step_type* property is [stixliteral]#start-step#. + |=== <<< @@ -983,7 +984,8 @@ As a new SDO extension it must follow the requirements as described in section 7 *priority*, *start_time*, *start_time_fidelity*, -*subtasks*, +*step_refs*, +*step_start_refs* *template_refs* |=== @@ -1062,6 +1064,16 @@ This property *SHOULD* be populated. This value *MUST* come from [stixtype]#<># enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes. + +|*step_refs* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# +|A list of step objects tied to this task. +It *MUST* contain references only to [stixtype]#<># objects. + +|*step_start_refs* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# +|A list of step start objects tied to this tasks. +It *MUST* contain references only to [stixtype]#<># objects where the *step_type* property is [stixliteral]#start-step#. |=== <<< @@ -1180,7 +1192,9 @@ include::examples/example_2.4.json[] <<< [[step]] === 2.5. Step -Describe...is [stixliteral]#step#. + [stixliteral]#step#. + +A Step is an activity that is performed as part of an event or task. The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c79-1961-43db-afde-637066a87a64# as its extension ID. @@ -1223,9 +1237,14 @@ The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c7 ^|[stixtr]*Step Object Specific Properties* -|*step_object_ref*, -*step_type*, -*next_step_refs* +|*changed_objects*, +*description*, +*end_time*, +*end_time_fidelity*, +*next_step_refs*, +*start_time*, +*start_time_fidelity*, +*step_type* |=== |=== @@ -1239,25 +1258,44 @@ The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c7 |[stixtype]#<># |The type of step. -|*step_object_ref* (required) -|[stixtype]#{identifier_url}[identifier]# -|The SDO that this step is a part. It *MUST* be of type [stixtype]#<># or [stixtype]#<>#. +|*changed_objects* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#<># +|A list of changes that this step has caused. +This is typically used to indicate how an step has affected impacts. |*description* (optional) |[stixtype]#{string_url}[string]# |A description of the step. +|*end_time* (optional) +|[stixtype]#{timestamp_url}[timestamp]# +|The date and time the task was last recorded. If this is not present it is assumed to be unknown. + +If *start_time* and *end_time* properties are both defined, then *end_time* value *MUST* be the same or later than the *start_time* value. + +|*end_time_fidelity* (optional) +|[stixtype]#<># +|The level of fidelity that the *end_time* fidelity is recorded in. + +This value *MUST* come from [stixtype]#<># enumeration. + |*next_step_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# |The [stixtype]#step# objects to follow. They *MUST* be of type [stixtype]#<># This property *MUST* be populated, unless the *step_type* is [stixliteral]#end-step#. +|*start_time* (optional) +|[stixtype]#{timestamp_url}[timestamp]# +|The date and time the task was first recorded. If this is not +present it is assumed to be unknown. -|=== - - +This property *SHOULD* be populated. +|*start_time_fidelity* (optional) +|[stixtype]#<># +|The level of fidelity that the *start_time* property is recorded in. +|=== <<< == 3. Additional Sub-Objects Types From cf4f3dd0d8e51fe3fc53f2a3784d41d5bfda077c Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Tue, 25 Jun 2024 15:16:51 -0400 Subject: [PATCH 10/23] cleaned up step changes --- .../incident-ef7/Incident Extension Suite.adoc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index cae0d7cf16c..1e8ddf2b66f 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -424,7 +424,7 @@ Relationships are not restricted to those listed below. Relationships can be cre using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. Steps of [stixtype]#<># *SHOULD NOT* be shared using relationship objects. -Steps *SHOULD* be shared within an [stixtype]#{incident_url}[incident]# or [stixtype]#<># using the *events* properties, respectively. +Steps *SHOULD* be shared within an [stixtype]#<># using the *events* property. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.) @@ -986,7 +986,6 @@ As a new SDO extension it must follow the requirements as described in section 7 *start_time_fidelity*, *step_refs*, *step_start_refs* -*template_refs* |=== |=== @@ -1072,7 +1071,7 @@ It *MUST* contain references only to [stixtype]#<># objects. |*step_start_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of step start objects tied to this tasks. +|A list of step start objects tied to this task. It *MUST* contain references only to [stixtype]#<># objects where the *step_type* property is [stixliteral]#start-step#. |=== @@ -1092,8 +1091,8 @@ targeting this object type from another object type. Relationships are not restricted to those listed below. Relationships can be created between any objects using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. -Sequences of [stixtype]#<># *SHOULD NOT* be shared using relationship objects. -Sequences *SHOULD* be shared within an [stixtype]#{incident_url}[incident]# or [stixtype]#<># using the *tasks* or *subtasks* properties, respectively. +Steps of [stixtype]#<># *SHOULD NOT* be shared using relationship objects. +Steps *SHOULD* be shared within a [stixtype]#<># using the *tasks* property. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.) [width="100%",cols="27%,16%,24%,33%",options="header",] From 3a541df7d9f62f811157e0f951a74fb0640153d2 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Tue, 25 Jun 2024 15:23:31 -0400 Subject: [PATCH 11/23] added step relationship section --- .../incident-ef7/Incident Extension Suite.adoc | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 1e8ddf2b66f..9862d7238ee 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -424,7 +424,7 @@ Relationships are not restricted to those listed below. Relationships can be cre using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. Steps of [stixtype]#<># *SHOULD NOT* be shared using relationship objects. -Steps *SHOULD* be shared within an [stixtype]#<># using the *events* property. +Steps *SHOULD* be shared within an [stixtype]#<># using the *step_refs* property. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.) @@ -1092,7 +1092,7 @@ Relationships are not restricted to those listed below. Relationships can be cre using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. Steps of [stixtype]#<># *SHOULD NOT* be shared using relationship objects. -Steps *SHOULD* be shared within a [stixtype]#<># using the *tasks* property. +Steps *SHOULD* be shared within a [stixtype]#<># using the *step_refs* property. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.) [width="100%",cols="27%,16%,24%,33%",options="header",] @@ -1294,6 +1294,17 @@ This property *SHOULD* be populated. |[stixtype]#<># |The level of fidelity that the *start_time* property is recorded in. +==== 2.5.1. Relationships + +// tag::step-relationships[] + +These are no relationships explicitly defined between the Step object and other STIX Objects. + +Most relationships associated with steps are embedded + +However, relationships can be created between any objects +using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. + |=== <<< From 762e34e833bf20b417b8a53cfe4b7b41880300ee Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Tue, 25 Jun 2024 15:58:13 -0400 Subject: [PATCH 12/23] add explicit relationships for step --- .../Incident Extension Suite.adoc | 99 ++++++++++++++++--- 1 file changed, 86 insertions(+), 13 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 9862d7238ee..3f9829c64fb 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -316,7 +316,7 @@ As a new SDO extension it must follow the requirements as described in section 7 *status*, *sighting_refs*, *start_time*, -*start_time_fidelity* +*start_time_fidelity*, *step_refs*, *step_start_refs* |=== @@ -339,6 +339,7 @@ enumeration. |[stixtype]#{list_url}[list]# of type [stixtype]#<># |A list of changes that this event has caused. This is typically used to indicate how an event has affected impacts. +This property *MAY* not be present when changed objects are recorded at the [stixtype]#<># level. |*description* (optional) |[stixtype]#{string_url}[string]# @@ -1005,6 +1006,7 @@ The value of this property *MUST* come from the [stixtype]#<># |A list of changes that this task has caused. This is typically used to indicate how a task has affected impacts. +This property *MAY* not be present when changed objects are recorded at the [stixtype]#<># level. |*task_types* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{open_vocab_url}[open-vocabulary]# @@ -1191,7 +1193,6 @@ include::examples/example_2.4.json[] <<< [[step]] === 2.5. Step - [stixliteral]#step#. A Step is an activity that is performed as part of an event or task. @@ -1280,8 +1281,8 @@ This value *MUST* come from [stixtype]#<># -This property *MUST* be populated, unless the *step_type* is [stixliteral]#end-step#. +|The [stixtype]#step# objects to follow. They *MUST* be of type [stixtype]#<>#. +This property *MUST NOT* be populated, if the *step_type* is [stixliteral]#end-step#. |*start_time* (optional) |[stixtype]#{timestamp_url}[timestamp]# @@ -1294,18 +1295,86 @@ This property *SHOULD* be populated. |[stixtype]#<># |The level of fidelity that the *start_time* property is recorded in. +|=== + +<<< + ==== 2.5.1. Relationships // tag::step-relationships[] -These are no relationships explicitly defined between the Step object and other STIX Objects. +These are the relationships explicitly defined between the Sept object and other STIX Objects. +The table identifies the relationships that can be made from this object type to another object +type by way of the Relationship object. -Most relationships associated with steps are embedded +Most relationships associated with steps are embedded. -However, relationships can be created between any objects -using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. +The reverse relationships section illustrates the relationships +targeting this object type from another object type. + +Relationships are not restricted to those listed below. Relationships can be created between any objects +using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. + +[width="100%",cols="23%,20%,24%,33%",options="header",] +|=== +4+^|[stixtr]*Common Relationships* +4+|[stixrelationship]#derived-from#, +[stixrelationship]#duplicate-of#, +[stixrelationship]#related-to# + +|*Source* |*Type* |*Target* |*Description* +// relationships:start + +|[stixtype]#<># +|[stixrelationship]#impacts# +|[stixtype]#{infrastructure_url}[infrastructure]#, + +[stixtype]#{sco_url}[]# +|An event has an impact on specific infrastructure. While not all SCO types will make sense in this relationship, allowing any type of SCO prevents artificially restricting what could be used. + +|[stixtype]#<># +|[stixrelationship]#located-at# +|[stixtype]#{location_url}[location]# +|The event occurred at a specific location. + +// relationships:end +|=== + +<<< +[width="100%",cols="27%,16%,24%,33%",options="header",] |=== +4+^|[stixtr]*Reverse Relationships* + +|*Source* |*Type* |*Target* |*Description* +// relationships:start +|[stixtype]#{identity_url}[identity]# +|[stixrelationship]#assigned# +|[stixtype]#<># +|An identity has been assigned the task + +|[stixtype]#{identity_url}[identity]# +|[stixrelationship]#contact-for# +|[stixtype]#<># +|An identity is a point of contact for this task. + +|[stixtype]#{identity_url}[identity]# +|[stixrelationship]#participated-in# +|[stixtype]#<># +|An identity participated in a specific task, but as not the primary performer + +|[stixtype]#{identity_url}[identity]# +|[stixrelationship]#performed# +|[stixtype]#<># +|An identity performed a specific task. + +|[stixtype]#{tool_url}[tool]# +|[stixrelationship]#performed# +|[stixtype]#<># +|A tool performed a specific task. +// relationships:end +|=== + +// end::step-relationships[] <<< == 3. Additional Sub-Objects Types @@ -2518,16 +2587,14 @@ Hours and minutes should be understood to establish the timezone for the activit ^|[stixtr]*Vocabulary Value* ^|[stixtr]*Description* |[stixliteral]#start_step# -|Equivalent to CACAO start_step. It has no sequenced object connected to it +|Similar to a CACAO start_step. |[stixliteral]#end_step# -|Equivalent to CACAO end_step. It has no sequenced object connected to it +|Similar to a CACAO end_step. |[stixliteral]#single_step# -|Equivalent to CACAO single_step. It has a sequenced object connected to it +|Similar to CACAO single_step. -|[stixliteral]#parallel_step# -|Equivalent to CACAO parallel_step. It has no sequenced object connected to it |=== @@ -2902,3 +2969,9 @@ Added [stixliteral]#ransom-demand# and [stixliteral]#ransom-payment# to [stixtyp |Richard Piazza, Jeffrey Mates and Dez Beck |Additional editorial fixes, a minor changes to normative statements |=== + +|07 +|2024-07-15 +|Richard Piazza, Jeffrey Mates and Dez Beck +|Introduced steps, removed event_sequence, event_entry, task_sequence, task_entry +|=== From fa95e1c3a84ec45b65fc014f501eb82fad769fc4 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Sat, 29 Jun 2024 14:59:09 -0400 Subject: [PATCH 13/23] removed steps, added next_steps to Events and Tasks --- .../Incident Extension Suite.adoc | 219 ++---------------- 1 file changed, 21 insertions(+), 198 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 3f9829c64fb..60091ee84ca 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -313,12 +313,11 @@ As a new SDO extension it must follow the requirements as described in section 7 *event_types*, *goal*, *name*, +*next_events_refs*, *status*, *sighting_refs*, *start_time*, -*start_time_fidelity*, -*step_refs*, -*step_start_refs* +*start_time_fidelity* |=== |=== @@ -374,6 +373,10 @@ Not all events have goals. |[stixtype]#{string_url}[string]# |A name for the event. +|*next_events_refs* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# +|The [stixtype]#event# objects to follow. They *MUST* be of type [stixtype]#<>#. + |*sighting_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# |A list of [stixtype]#{sighting_url}[sighting]# objects that were related to this event. @@ -396,15 +399,6 @@ This property *SHOULD* be populated. If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes. -|*step_refs* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of step objects tied to this event. -It *MUST* contain references only to [stixtype]#<># objects. - -|*step_start_refs* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of step start objects tied to this event. -It *MUST* contain references only to [stixtype]#<># objects where the *step_type* property is [stixliteral]#start-step#. |=== @@ -981,12 +975,11 @@ As a new SDO extension it must follow the requirements as described in section 7 *error*, *impact_entity_counts*, *name*, +*next_tasks_refs* *outcome*, *priority*, *start_time*, -*start_time_fidelity*, -*step_refs*, -*step_start_refs* +*start_time_fidelity* |=== |=== @@ -1046,6 +1039,10 @@ This is primarily used when recording victim notifications. |[stixtype]#{string_url}[string]# |A name used to identify the task. +|*next_tasks_refs* (optional) +|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# +|The [stixtype]#task# objects to follow. They *MUST* be of type [stixtype]#<>#. + |*priority* (optional) |[stixtype]#{int_url}[integer]# |The priority or importance of the task. @@ -1066,15 +1063,7 @@ This value *MUST* come from [stixtype]#<># objects. -|*step_start_refs* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of step start objects tied to this task. -It *MUST* contain references only to [stixtype]#<># objects where the *step_type* property is [stixliteral]#start-step#. |=== <<< @@ -1190,112 +1179,6 @@ include::examples/example_2.4.json[] ---- <<< -<<< -[[step]] -=== 2.5. Step - -A Step is an activity that is performed as part of an event or task. - -The definition extension *MUST* use [stixliteral]#extension-definition--be0c7c79-1961-43db-afde-637066a87a64# as its extension ID. - -[width="100%",cols="37%,23%,40%",options="header",] -|=== -^|[stixtr]*Property Name* -^|[stixtr]*Type* -^|[stixtr]*Description* - -|*extension_type* (required) -|[stixtype]#{string_url}[string]# -|The value of this property *MUST* be [stixliteral]#new-sdo# - -|=== - -[width="100%",cols="100%",stripes=odd] -|=== -^|[stixtr]*Required Common Properties* -|*created*, -*id*, -*modified*, -*spec_version*, -*type* - -^|[stixtr]*Optional Common Properties* - -|*created_by_ref*, -*revoked*, -*labels*, -*confidence*, -*lang*, -*external_references*, -*object_marking_refs*, -*granular_markings*, -*extensions* - -^|[stixtr]*Not Applicable Common Properties* - -|*defanged* - -^|[stixtr]*Step Object Specific Properties* - -|*changed_objects*, -*description*, -*end_time*, -*end_time_fidelity*, -*next_step_refs*, -*start_time*, -*start_time_fidelity*, -*step_type* -|=== - -|=== -^|[stixtr]*Property Name* ^|[stixtr]*Type* ^|[stixtr]*Description* - -|*type* (required) -|[stixtype]#{string_url}[string]# -|The value of this property *MUST* be set to [stixliteral]#step#. - -|*step_type* (required) -|[stixtype]#<># -|The type of step. - -|*changed_objects* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#<># -|A list of changes that this step has caused. -This is typically used to indicate how an step has affected impacts. - -|*description* (optional) -|[stixtype]#{string_url}[string]# -|A description of the step. - -|*end_time* (optional) -|[stixtype]#{timestamp_url}[timestamp]# -|The date and time the task was last recorded. If this is not present it is assumed to be unknown. - -If *start_time* and *end_time* properties are both defined, then *end_time* value *MUST* be the same or later than the *start_time* value. - -|*end_time_fidelity* (optional) -|[stixtype]#<># -|The level of fidelity that the *end_time* fidelity is recorded in. - -This value *MUST* come from [stixtype]#<># enumeration. - -|*next_step_refs* (optional) -|[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|The [stixtype]#step# objects to follow. They *MUST* be of type [stixtype]#<>#. -This property *MUST NOT* be populated, if the *step_type* is [stixliteral]#end-step#. - -|*start_time* (optional) -|[stixtype]#{timestamp_url}[timestamp]# -|The date and time the task was first recorded. If this is not -present it is assumed to be unknown. - -This property *SHOULD* be populated. - -|*start_time_fidelity* (optional) -|[stixtype]#<># -|The level of fidelity that the *start_time* property is recorded in. - -|=== <<< @@ -1476,7 +1359,7 @@ The value of this property *SHOULD* come from the [stixtype]#< Date: Tue, 2 Jul 2024 14:04:41 -0400 Subject: [PATCH 14/23] removed step remnants, and general review --- .../Incident Extension Suite.adoc | 133 ++++-------------- 1 file changed, 27 insertions(+), 106 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 60091ee84ca..71f1a361a4d 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -45,7 +45,7 @@ [.stix-doc-information-heading]#Draft# -[.stix-doc-information-heading]#20 February 2024# +[.stix-doc-information-heading]#8 July 2024# [.stix-doc-information-heading] Editors: @@ -96,7 +96,7 @@ The Incident object should have sufficient properties to represent the current s === 2.1. Incident Core -The properties and additional types within the Incident Core Extension are defined below. As this is an extension of a top-level object, common properties such as *id* are not present. This extension *MUST* use [stixliteral]#extension-definition--ef765651-680c-498d-9894-99799f2fa126# as its extension ID. +The properties and additional types within the Incident Core Extension are defined below. As this is an extension of a top-level object, common properties such as *id* are not present, but are present in the [stixtype]#{incident_url}[incident]# object stub . This extension *MUST* use [stixliteral]#extension-definition--ef765651-680c-498d-9894-99799f2fa126# as its extension ID. <<< @@ -145,7 +145,7 @@ It *MUST* contain references to one or more [stixtype]#<># objects |*impact_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of impacts of this incident. +|A list of the impacts of this incident. All objects referenced in this list *MUST* be an [stixtype]#<># object. |*impacted_entity_counts* (optional) @@ -177,7 +177,7 @@ enumeration. |*task_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# |A list of tasks tied to this incident. -It *MUST* contain references to one or more [stixtype]#<># objects. +It *MUST* contain references to one or more [stixtype]#<># objects. |=== @@ -338,7 +338,6 @@ enumeration. |[stixtype]#{list_url}[list]# of type [stixtype]#<># |A list of changes that this event has caused. This is typically used to indicate how an event has affected impacts. -This property *MAY* not be present when changed objects are recorded at the [stixtype]#<># level. |*description* (optional) |[stixtype]#{string_url}[string]# @@ -375,7 +374,7 @@ Not all events have goals. |*next_events_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|The [stixtype]#event# objects to follow. They *MUST* be of type [stixtype]#<>#. +|The [stixtype]#event# objects to follow. They *MUST* be of type [stixtype]#<>#. |*sighting_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# @@ -392,6 +391,8 @@ present it is assumed to be unknown. This property *SHOULD* be populated. +If *start_time* and *end_time* properties are both defined, then *end_time* value *MUST* be the same or later than the *start_time* value. + |*start_time_fidelity* (optional) |[stixtype]#<># |The level of fidelity that the *start_time* property is recorded in. This value @@ -418,12 +419,11 @@ targeting this object type from another object type. Relationships are not restricted to those listed below. Relationships can be created between any objects using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. -Steps of [stixtype]#<># *SHOULD NOT* be shared using relationship objects. -Steps *SHOULD* be shared within an [stixtype]#<># using the *step_refs* property. +[stixtype]#<># *SHOULD NOT* be shared using relationship objects. +Events *SHOULD* be shared within an [stixtype]#<># using the *event_refs* property. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.) - [width="100%",cols="23%,20%,24%,33%",options="header",] |=== 4+^|[stixtr]*Common Relationships* @@ -592,7 +592,7 @@ To affirmatively state no entities of a given class were impacted they should be |*impacted_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|A list of all impacted entities or infrastructure. The values of this property MUST be the identifier for a SDO or SCO. +|A list of all impacted entities or infrastructure. The values of this property MUST be the identifier for an SDO or SCO. |*recoverability* (optional) |[stixtype]#<># @@ -606,6 +606,8 @@ The value of this property *MUST* come from the [stixtype]#<># |The level of fidelity that the *start_time* property is recorded in. @@ -641,8 +643,7 @@ There are many types of impacts, each with its own unique properties, therefore As such, every Impact *MUST* have the one extension which matches the value of the *impact_category* property (see this property description above). This allows consumers to quickly validate their ability to process this category of impact and then load all of its specific details. - -Because these extensions are used to specify very different types of impacts, producers *SHOULD* use one and only one of these extensions. However, additional extensions might be proposed in the future and might be used in conjunction with one of these. +Because these extensions are used to specify very different types of impacts, producers *SHOULD* use one and only one of these extensions per Impact object. However, additional extensions might be proposed in the future and might be used in conjunction with one of these. ===== 2.3.2.1. Availability Impact Extension @@ -694,7 +695,7 @@ The values of this property *MUST* come from the [stixtype]#<> open vocabulary#. -This value *MUST* be included if the loss_type is not [stixliteral]#none#. Including an entry with loss_type of none and no information_type indicates that no information had its confidentiality impacted by the related incident. +This value *MUST* be included if the loss_type is not [stixliteral]#none#. Otherwise, including an entry with loss_type of none and no information_type indicates that no information had its confidentiality impacted by the related incident. |*record_count* (optional) |[stixtype]#{int_url}[integer]# @@ -766,7 +767,7 @@ This can include information about control systems and other processes that can The value of this property *SHOULD* come from the [stixtype]#<># open vocabulary. This value *MUST* be included if the alternation is not none. -Including an entry that with an alteration of [stixliteral]#none# and no information_type provided indicates that no information had its integrity impacted by the related incident. +Otherwise, including an entry that with an alteration of [stixliteral]#none# and no information_type provided indicates that no information had its integrity impacted by the related incident. |*record_count* (optional) |[stixtype]#{int_url}[integer]# @@ -825,7 +826,7 @@ This *MUST* be included if a *conversion_rate* property is included. |*currency* (optional) |[stixtype]#{string_url}[string]#| -The currency used for reporting which the *max_amount* and *min_amount* properties use. +The currency used for reporting the *max_amount* and *min_amount* properties values. This *SHOULD* be an ISO 4217 alpha currency code or the official currency code for the relevant cryptocurrency. This *SHOULD* match the currency of the organization or the government producing the report. @@ -894,7 +895,7 @@ enumeration. The value of this property *SHOULD* come from the [stixtype]#<># open vocabulary. This value *MUST* be included if the *impact_type* is not [stixliteral]#none# . -Including an entry with an *impact_type* of none and no asset_type indicates that no physical damage was caused by the related incident. +Otherwise, including an entry with an *impact_type* of none and no asset_type indicates that no physical damage was caused by the related incident. |=== @@ -999,7 +1000,6 @@ The value of this property *MUST* come from the [stixtype]#<># |A list of changes that this task has caused. This is typically used to indicate how a task has affected impacts. -This property *MAY* not be present when changed objects are recorded at the [stixtype]#<># level. |*task_types* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{open_vocab_url}[open-vocabulary]# @@ -1041,7 +1041,7 @@ This is primarily used when recording victim notifications. |*next_tasks_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|The [stixtype]#task# objects to follow. They *MUST* be of type [stixtype]#<>#. +|The [stixtype]#task# objects to follow. They *MUST* be of type [stixtype]#<>#. |*priority* (optional) |[stixtype]#{int_url}[integer]# @@ -1055,6 +1055,8 @@ present it is assumed to be unknown. This property *SHOULD* be populated. +If *start_time* and *end_time* properties are both defined, then *end_time* value *MUST* be the same or later than the *start_time* value. + |*start_time_fidelity* (optional) |[stixtype]#<># |The level of fidelity that the *start_time* property is recorded in. @@ -1082,8 +1084,7 @@ targeting this object type from another object type. Relationships are not restricted to those listed below. Relationships can be created between any objects using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. -Steps of [stixtype]#<># *SHOULD NOT* be shared using relationship objects. -Steps *SHOULD* be shared within a [stixtype]#<># using the *step_refs* property. +Tasks *SHOULD* be shared within a [stixtype]#<># using the *task_refs* property. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.) [width="100%",cols="27%,16%,24%,33%",options="header",] @@ -1180,86 +1181,6 @@ include::examples/example_2.4.json[] <<< -<<< - -==== 2.5.1. Relationships - -// tag::step-relationships[] - -These are the relationships explicitly defined between the Sept object and other STIX Objects. -The table identifies the relationships that can be made from this object type to another object -type by way of the Relationship object. - -Most relationships associated with steps are embedded. - -The reverse relationships section illustrates the relationships -targeting this object type from another object type. - -Relationships are not restricted to those listed below. Relationships can be created between any objects -using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. - -[width="100%",cols="23%,20%,24%,33%",options="header",] -|=== -4+^|[stixtr]*Common Relationships* -4+|[stixrelationship]#derived-from#, -[stixrelationship]#duplicate-of#, -[stixrelationship]#related-to# - -|*Source* |*Type* |*Target* |*Description* -// relationships:start - -|[stixtype]#<># -|[stixrelationship]#impacts# -|[stixtype]#{infrastructure_url}[infrastructure]#, + -[stixtype]#{sco_url}[]# -|An event has an impact on specific infrastructure. While not all SCO types will make sense in this relationship, allowing any type of SCO prevents artificially restricting what could be used. - -|[stixtype]#<># -|[stixrelationship]#located-at# -|[stixtype]#{location_url}[location]# -|The event occurred at a specific location. - -// relationships:end -|=== - -<<< - -[width="100%",cols="27%,16%,24%,33%",options="header",] -|=== -4+^|[stixtr]*Reverse Relationships* - -|*Source* |*Type* |*Target* |*Description* -// relationships:start -|[stixtype]#{identity_url}[identity]# -|[stixrelationship]#assigned# -|[stixtype]#<># -|An identity has been assigned the task - -|[stixtype]#{identity_url}[identity]# -|[stixrelationship]#contact-for# -|[stixtype]#<># -|An identity is a point of contact for this task. - -|[stixtype]#{identity_url}[identity]# -|[stixrelationship]#participated-in# -|[stixtype]#<># -|An identity participated in a specific task, but as not the primary performer - -|[stixtype]#{identity_url}[identity]# -|[stixrelationship]#performed# -|[stixtype]#<># -|An identity performed a specific task. - -|[stixtype]#{tool_url}[tool]# -|[stixrelationship]#performed# -|[stixtype]#<># -|A tool performed a specific task. -// relationships:end -|=== - -// end::step-relationships[] - -<<< == 3. Additional Sub-Objects Types <<< @@ -1363,8 +1284,8 @@ The value of this property *SHOULD* come from the [stixtype]#< Date: Fri, 5 Jul 2024 13:19:16 -0400 Subject: [PATCH 15/23] Dez's comments from 7/5 --- .../Incident Extension Suite.adoc | 35 +++++++++++++++---- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 71f1a361a4d..9cb804d6148 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -419,8 +419,8 @@ targeting this object type from another object type. Relationships are not restricted to those listed below. Relationships can be created between any objects using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. -[stixtype]#<># *SHOULD NOT* be shared using relationship objects. -Events *SHOULD* be shared within an [stixtype]#<># using the *event_refs* property. +To relate [stixtype]#<># to an [stixtype]#<># the *event_refs* property +*SHOULD* be used. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.) @@ -434,12 +434,17 @@ Using these embedded relationships ensures that an incomplete sequence cannot be |*Source* |*Type* |*Target* |*Description* // relationships:start |[stixtype]#<># -|[stixrelationship]#led-to# +|[stixrelationship]#causes# |[stixtype]#<># -|One event led to another. +|One event caused another to take place. For example, a dropper running led to a ransomware tool to be downloaded and run. +|[stixtype]#<># +|[stixrelationship]#causes# +|[stixtype]#># +|The event caused the impact. + |[stixtype]#<># |[stixrelationship]#impacts# |[stixtype]#{infrastructure_url}[infrastructure]#, + @@ -481,6 +486,22 @@ For example, a dropper running led to a ransomware tool to be downloaded and run |[stixrelationship]#performed# |[stixtype]#<># |A tool performed a specific event. + +|[stixtype]#<># +|[stixrelationship]#uses# +|[stixtype]#{course_of_action_url}[course-of-action]# +|An task uses a particular course of action. + +|[stixtype]#<># +|[stixrelationship]#blocks# +|[stixtype]#<># +|A task was performed to block a potential event. + +|[stixtype]#<># +|[stixrelationship]#causes# +|[stixtype]#<># +|A task was performed that caused an event, usually due to an error. + // relationships:end |=== @@ -633,6 +654,8 @@ When this property is populated this impact *MUST* have an *end_time* and and th There are no relationships explicitly defined between the Impact object and other STIX Objects, other than those defined as common relationships ([stixrelationship]#duplicate-of#, [stixrelationship]#derived-from#, [stixrelationship]#related-to#, and the embedded relationships defined by the common SDO properties.) +*Reverse relationships??* + Relationships can be created between any objects using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. // end::impact-relationships[] @@ -1084,7 +1107,8 @@ targeting this object type from another object type. Relationships are not restricted to those listed below. Relationships can be created between any objects using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. -Tasks *SHOULD* be shared within a [stixtype]#<># using the *task_refs* property. +To relate [stixtype]#<># to an [stixtype]#<># the *task_refs* property +*SHOULD* be used. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.) [width="100%",cols="27%,16%,24%,33%",options="header",] @@ -2712,7 +2736,6 @@ Added [stixliteral]#ransom-demand# and [stixliteral]#ransom-payment# to [stixtyp |2024-02-15 |Richard Piazza, Jeffrey Mates and Dez Beck |Additional editorial fixes, a minor changes to normative statements -|=== |07 |2024-07-02 From bcad806c1b4c1495f1642c78a7db5d1bba3a8ada Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Mon, 8 Jul 2024 14:58:17 -0400 Subject: [PATCH 16/23] added reverse relationships for Impact --- .../Incident Extension Suite.adoc | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 9cb804d6148..08d066b09f6 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -654,12 +654,34 @@ When this property is populated this impact *MUST* have an *end_time* and and th There are no relationships explicitly defined between the Impact object and other STIX Objects, other than those defined as common relationships ([stixrelationship]#duplicate-of#, [stixrelationship]#derived-from#, [stixrelationship]#related-to#, and the embedded relationships defined by the common SDO properties.) -*Reverse relationships??* +The reverse relationships section illustrates the relationships +targeting this object type from another object type. -Relationships can be created between any objects +Relationships are not restricted to those listed below. Relationships can be created between any objects using the [stixrelationship]#related-to# relationship type or, as with open vocabularies, user-defined names. + +[width="100%",cols="23%,20%,24%,33%",options="header",] +|=== +4+^|[stixtr]*Reverse Relationships* + +|*Source* |*Type* |*Target* |*Description* +// relationships:start +|[stixtype]#<># +|[stixrelationship]#causes# +|[stixtype]#<># +|An event causes an impact. + +|[stixtype]#<># +|[stixrelationship]#causes# +|[stixtype]#<># +|A task causes an impact. +// relationships:end + // end::impact-relationships[] +|=== + +<<< ==== 2.3.2. Extensions There are many types of impacts, each with its own unique properties, therefore the Impact SDO emulates the File SCO through the use of STIX (sub-type) Extensions to provide the granular details of specific categories of impacts. Seven extensions to [stixtype]#<>#, which further define the impact on a related Incident, are given below. From 26f46e08543a6438d3ece779e392305fec4bec54 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Mon, 8 Jul 2024 16:26:33 -0400 Subject: [PATCH 17/23] fixed adoc bugs --- .../incident-ef7/Incident Extension Suite.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 08d066b09f6..75b415ba6ae 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -84,7 +84,7 @@ Incidents have [stixtype]#<># that change over time. [stixtype]#<># can cause or influence these [stixtype]#<># which are in turn mitigated and potentially resolved by [stixtype]#<># performed as part of the incident response process. Both [stixtype]#<># and [stixtype]#<># can exist independently of [stixtype]#{incident_url}[incidents]# and in most workflows will occur prior to an incident being declared. - +[[incident]] == 1. Incidents in STIX Incident objects represent cases composed of [stixtype]#<># and [stixtype]#<># as well as actual or potential [stixtype]#<>#. @@ -374,7 +374,7 @@ Not all events have goals. |*next_events_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|The [stixtype]#event# objects to follow. They *MUST* be of type [stixtype]#<>#. +|The [stixtype]#<># objects to follow. They *MUST* be of type [stixtype]#<>#. |*sighting_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# @@ -1086,7 +1086,7 @@ This is primarily used when recording victim notifications. |*next_tasks_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# -|The [stixtype]#task# objects to follow. They *MUST* be of type [stixtype]#<>#. +|The [stixtype]#<># objects to follow. They *MUST* be of type [stixtype]#<>#. |*priority* (optional) |[stixtype]#{int_url}[integer]# From 8489d545d5d34080cae50dfad37f7f135c55efd0 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Wed, 10 Jul 2024 15:54:37 -0400 Subject: [PATCH 18/23] added event uses attack-pattern --- .../incident-ef7/Incident Extension Suite.adoc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 75b415ba6ae..3653128b8a8 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -442,7 +442,7 @@ For example, a dropper running led to a ransomware tool to be downloaded and run |[stixtype]#<># |[stixrelationship]#causes# -|[stixtype]#># +|[stixtype]#<># |The event caused the impact. |[stixtype]#<># @@ -451,6 +451,11 @@ For example, a dropper running led to a ransomware tool to be downloaded and run [stixtype]#{sco_url}[]# |An event has an impact on specific infrastructure. While not all SCO types will make sense in this relationship, allowing any type of SCO prevents artificially restricting what could be used. +|[stixtype]#<># +|[stixrelationship]#uses# +|[stixtype]#{attack_pattern_url}[attack_pattern]# +|An event uses an attack pattern. + |[stixtype]#<># |[stixrelationship]#located-at# |[stixtype]#{location_url}[location]# From 893c982144031498e0144a470cecaf43beaa07d6 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Tue, 16 Jul 2024 14:16:11 -0400 Subject: [PATCH 19/23] removed 2 event SROs --- .../incident-ef7/Incident Extension Suite.adoc | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 3653128b8a8..b41b7806dcf 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -381,6 +381,8 @@ Not all events have goals. |A list of [stixtype]#{sighting_url}[sighting]# objects that were related to this event. Sightings referenced in this *SHOULD* be based on [stixtype]#{attack_pattern_url}[attack-pattern]#, [stixtype]#{indicator_url}[indicator]#, or [stixtype]#{malware_url}[malware]# SDOs. +Using the *sighting_refs* property to relate an [stixtype]#<># to an SDO is preferred over using an SRO. + In some cases observed data may be present, but no [stixtype]#{indicator_url}[indicator]# can be created. In these cases it is recommended to use an [stixtype]#{attack_pattern_url}[attack-pattern]# using the name or description of the behavior or rule that triggered the sighting. @@ -433,12 +435,7 @@ Using these embedded relationships ensures that an incomplete sequence cannot be |*Source* |*Type* |*Target* |*Description* // relationships:start -|[stixtype]#<># -|[stixrelationship]#causes# -|[stixtype]#<># -|One event caused another to take place. -For example, a dropper running led to a ransomware tool to be downloaded and run. |[stixtype]#<># |[stixrelationship]#causes# @@ -451,11 +448,6 @@ For example, a dropper running led to a ransomware tool to be downloaded and run [stixtype]#{sco_url}[]# |An event has an impact on specific infrastructure. While not all SCO types will make sense in this relationship, allowing any type of SCO prevents artificially restricting what could be used. -|[stixtype]#<># -|[stixrelationship]#uses# -|[stixtype]#{attack_pattern_url}[attack_pattern]# -|An event uses an attack pattern. - |[stixtype]#<># |[stixrelationship]#located-at# |[stixtype]#{location_url}[location]# From 8616de3de1053034be3f44288273c90a2b9352a0 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Tue, 16 Jul 2024 14:37:24 -0400 Subject: [PATCH 20/23] changed examples for new proerties --- .../incident-ef7/examples/example_2.1.json | 13 +++++-------- .../incident-ef7/examples/example_2.2.json | 4 ++++ .../incident-ef7/examples/example_2.4.json | 3 +++ 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/examples/example_2.1.json b/extension-definition-specifications/incident-ef7/examples/example_2.1.json index 23cccfac5c8..04754c00ac0 100644 --- a/extension-definition-specifications/incident-ef7/examples/example_2.1.json +++ b/extension-definition-specifications/incident-ef7/examples/example_2.1.json @@ -15,10 +15,9 @@ "automated-tool", "human-review" ], - "events": [ - { - "event_ref": "event--9ca38544-c247-45d9-9e33-957ba7c9e119" - } + "event_refs": [ + "event--9ca38544-c247-45d9-9e33-957ba7c9e119" + ], "impact_refs": [ "impact--7a5806e4-0f37-4c48-9a50-7301bff4b195" @@ -39,10 +38,8 @@ "description": "The score is calculated based on the severity of the incident and the potential impact on the organization." } ], - "tasks": [ - { - "task_ref": "task--a45aaed9-6504-4f95-982e-78508726eb5a" - } + "task_refs": [ + "task--a45aaed9-6504-4f95-982e-78508726eb5a" ] } } diff --git a/extension-definition-specifications/incident-ef7/examples/example_2.2.json b/extension-definition-specifications/incident-ef7/examples/example_2.2.json index 96c2268ade9..e1e18654402 100644 --- a/extension-definition-specifications/incident-ef7/examples/example_2.2.json +++ b/extension-definition-specifications/incident-ef7/examples/example_2.2.json @@ -20,6 +20,10 @@ ], "goal": "Gain unauthorized access to sensitive information.", "name": "Phishing Attack", + "next_event_refs": [ + "event--193a3ea2-32ae-4bfd-b353-16836ab70788", + "event--d263f0f6-4c6c-4f77-a7fd-10368f0cb50a" + ], "start_time": "2023-11-22T14:30:00Z", "start_time_fidelity": "minute", "extensions": { diff --git a/extension-definition-specifications/incident-ef7/examples/example_2.4.json b/extension-definition-specifications/incident-ef7/examples/example_2.4.json index 3704a8415a6..0ab0914cbee 100644 --- a/extension-definition-specifications/incident-ef7/examples/example_2.4.json +++ b/extension-definition-specifications/incident-ef7/examples/example_2.4.json @@ -19,6 +19,9 @@ "blocked" ], "name": "Mitigation Task", + "next_task_refs": [ + "task--1cb3fbba-3216-4fd7-a1c2-b33473d20ed7" + ], "priority": 80, "start_time": "2023-11-22T15:30:00Z", "start_time_fidelity": "minute", From 1bc09d14d3c5846fdbb150131d4126439796017a Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Tue, 16 Jul 2024 16:17:32 -0400 Subject: [PATCH 21/23] added info about the start events/tasks --- .../incident-ef7/Incident Extension Suite.adoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index b41b7806dcf..16c3ea8589c 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -143,6 +143,8 @@ These values *SHOULD* be selected from the [stixtype]#<># objects. +Events can be grouped into sequences based on the *next_event_refs* property of the relevant [stixtype]#<># Event objects. Events that are the first in a sequence are not referenced by any *next_event_refs* property. + |*impact_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# |A list of the impacts of this incident. @@ -179,6 +181,7 @@ enumeration. |A list of tasks tied to this incident. It *MUST* contain references to one or more [stixtype]#<># objects. +Tasks can be grouped into sequences based on the *next_task_refs* property of the relevant [stixtype]#<># Event objects. Tasks that are the first in a sequence are not referenced by any *next_task_refs* property. |=== @@ -381,7 +384,7 @@ Not all events have goals. |A list of [stixtype]#{sighting_url}[sighting]# objects that were related to this event. Sightings referenced in this *SHOULD* be based on [stixtype]#{attack_pattern_url}[attack-pattern]#, [stixtype]#{indicator_url}[indicator]#, or [stixtype]#{malware_url}[malware]# SDOs. -Using the *sighting_refs* property to relate an [stixtype]#<># to an SDO is preferred over using an SRO. +The *sighting_refs* property *SHOULD* be used to relate an [stixtype]#<># to an SDO, instead of using right an SRO. In some cases observed data may be present, but no [stixtype]#{indicator_url}[indicator]# can be created. In these cases it is recommended to use an [stixtype]#{attack_pattern_url}[attack-pattern]# using the name or description of the behavior or rule that triggered the sighting. From dda950984b41031d539b99a5f906e13acc4f4bd0 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Tue, 16 Jul 2024 16:42:19 -0400 Subject: [PATCH 22/23] improved start text for event/task --- .../incident-ef7/Incident Extension Suite.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc index 16c3ea8589c..757f94ac537 100644 --- a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc @@ -143,7 +143,7 @@ These values *SHOULD* be selected from the [stixtype]#<># objects. -Events can be grouped into sequences based on the *next_event_refs* property of the relevant [stixtype]#<># Event objects. Events that are the first in a sequence are not referenced by any *next_event_refs* property. +Events can be grouped into sequences based on the *next_event_refs* property of the relevant [stixtype]#<># objects. Events that are the first in a sequence are not referenced by the *next_event_refs* property of any other [stixtype]#<># object. |*impact_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# @@ -181,7 +181,7 @@ enumeration. |A list of tasks tied to this incident. It *MUST* contain references to one or more [stixtype]#<># objects. -Tasks can be grouped into sequences based on the *next_task_refs* property of the relevant [stixtype]#<># Event objects. Tasks that are the first in a sequence are not referenced by any *next_task_refs* property. +Tasks can be grouped into sequences based on the *next_task_refs* property of the relevant [stixtype]#<># objects. Tasks that are the first in a sequence are not referenced by the *next_task_refs* property of any other [stixtype]#<># object. |=== From 90e794dada3262be576c6390057d27932c6f8ce4 Mon Sep 17 00:00:00 2001 From: Rich Piazza Date: Tue, 16 Jul 2024 16:33:50 -0400 Subject: [PATCH 23/23] more example changes --- .../incident-ef7/examples/example_2.1.json | 6 +++++- .../incident-ef7/examples/example_2.2.json | 4 ++-- .../incident-ef7/examples/example_2.4.json | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/extension-definition-specifications/incident-ef7/examples/example_2.1.json b/extension-definition-specifications/incident-ef7/examples/example_2.1.json index 04754c00ac0..cb5ee8a0674 100644 --- a/extension-definition-specifications/incident-ef7/examples/example_2.1.json +++ b/extension-definition-specifications/incident-ef7/examples/example_2.1.json @@ -16,6 +16,9 @@ "human-review" ], "event_refs": [ + "event--68e1e976-7e3b-4233-8bde-1a5dbb17a9a6", + "event--193a3ea2-32ae-4bfd-b353-16836ab70788", + "event--d263f0f6-4c6c-4f77-a7fd-10368f0cb50a", "event--9ca38544-c247-45d9-9e33-957ba7c9e119" ], @@ -39,7 +42,8 @@ } ], "task_refs": [ - "task--a45aaed9-6504-4f95-982e-78508726eb5a" + "task--4e1e2a5a-6b3c-4d5e-8f6a-9e7b8a9a5b6c", + "task--1cb3fbba-3216-4fd7-a1c2-b33473d20ed7" ] } } diff --git a/extension-definition-specifications/incident-ef7/examples/example_2.2.json b/extension-definition-specifications/incident-ef7/examples/example_2.2.json index e1e18654402..05706f807de 100644 --- a/extension-definition-specifications/incident-ef7/examples/example_2.2.json +++ b/extension-definition-specifications/incident-ef7/examples/example_2.2.json @@ -21,8 +21,8 @@ "goal": "Gain unauthorized access to sensitive information.", "name": "Phishing Attack", "next_event_refs": [ - "event--193a3ea2-32ae-4bfd-b353-16836ab70788", - "event--d263f0f6-4c6c-4f77-a7fd-10368f0cb50a" + "event--193a3ea2-32ae-4bfd-b353-16836ab70788", + "event--d263f0f6-4c6c-4f77-a7fd-10368f0cb50a" ], "start_time": "2023-11-22T14:30:00Z", "start_time_fidelity": "minute", diff --git a/extension-definition-specifications/incident-ef7/examples/example_2.4.json b/extension-definition-specifications/incident-ef7/examples/example_2.4.json index 0ab0914cbee..04b71dc72ca 100644 --- a/extension-definition-specifications/incident-ef7/examples/example_2.4.json +++ b/extension-definition-specifications/incident-ef7/examples/example_2.4.json @@ -20,7 +20,7 @@ ], "name": "Mitigation Task", "next_task_refs": [ - "task--1cb3fbba-3216-4fd7-a1c2-b33473d20ed7" + "task--1cb3fbba-3216-4fd7-a1c2-b33473d20ed7" ], "priority": 80, "start_time": "2023-11-22T15:30:00Z",