Open sparrell opened 7 years ago
davaya
commented
7 years ago Agree that alert is out of scope for C2. Many mechanisms exist for carrying alerts, including event logging messages, push notification services, pub/sub channels, SNMP traps, etc.
jmbrule
commented
7 years ago I am not going to argue that ALERT fits within the sensing block of IACD and I agree that we want to maintain the separation/ decoupling of ACD blocks. From a pragmatic point of view, we are going to need a means to fire events that's that the orchestrator or whatever can respond to. I am NOT stating that the openC2 channel must receive every byte of data from a sensor or actuator. I am saying that I see value in receiving an alert from an actuator that could be used to trigger some course of action. My 'vote' is to keep ALERT in the LDD and we will add text along the lines that the alert is not intended for 'routine' sensing, but is available to alert the orchestrator/ mission manager should some threshold be breached
romanojd
commented
7 years ago I still think alert is just another type of response.
response = request | status | ack | alert
And from my viewpoint, this is the best of both worlds:
action = deny | stop | query | ...)
Note this is a more specific issue than issue #5
PROBLEM
The CTI STIX group has suggested that openc2 stick to C2 and that alert is not C2. Ie openc2 can tell an actuator the conditions under which to alert, but that the alert would come thru a 'normal' alert channel. This is in keeping with the functional split we are trying to maintain.
POTENTIAL SOLUTION
Remove Alert from LDD