Open rpiazza opened 9 months ago
Thank you for catching these. We believe most of these are errors, but a few of these were intended:
incident_types
does come from event-type-ov
to allow for consistency with other systems and avoiding creating duplicate open vocabularies. If another term can be created for this which is neutral it can certainly be renamed.-ext
within the impact extensions. These should be added and the documents should be revised as appropriate. Our only concern with implementing this now is it may break existing code as it is backwards breaking. That said since this is an extension proposal it would be better to fix this now, but we might need to officially flag a new version such as 2.0.1 or 2.1 for the incident extension.impact_category
open in order to allow for the expansion of impact in the future. We also cannot forbid additional extensions within it since the STIX specification does not permit this in general. We may be able to state that it MUST only have one category style extension however while still allowing additional extensions in case implementers require additional internal data to be passed along with existing impacts.We also cannot forbid additional extensions within it since the STIX specification does not permit this in general.
Not sure what you are trying to say here. Multiple extensions are allowed by the spec (or should be). File is an example where you might want to use more than one extension (that comes directly from Ivan who worked on SCOs with Trey).
I think we want to restrict mutliple Impact extensions - I don't see why that can't be normative language.
BTW - i defined the term "subtype extensions" in the extension policy document to describe the "predefined extensions" we have in the spec and that would be a good term to use for the Impact ones.
Some changes still pending
////////- [ ] Update Draft date from 10 October 2023
This reads fine for me.
We have to assume that anyone looking at extension specification has some familiarity with the STIX spec.
//// just the NEW objects, not the existing STIX objects (Event, Task, Impact). The third paragraph of the abstract is helpful, but I think three bullets in Section 1 would help make it clear how the three new SDOs relate to an incident and to each other. ////
I hope this will be re-worked when Jeff discusses the other Incident proposal - https://github.com/os-threat/cti-stix-common-objects
[ ] Properties are listed by required/optional and alphabetical within each section. They would be more easily digested if grouped more logically - for example, by type (e.g., references to other objects together) and/or role (e.g., start_time, start_time_fidelity, end_time, end_time_fidelity). In STIX, the tables are ordered logically, not by required/optional or alphabet. Another example - “determination" should come after “investigation_status.”
[X] “As this is an extension of a top-level object, fields such as identifier are not present.” Should this be “common properties such as identifier are not present.”
[X] “high level” —> “high-level”
[X] Definition for “determination” property is unclear. “Outcome” makes it seem like it relates to whether or not the adversary was successful. How about changing the property name to “declaration” with a definition something like, “A high-level declaration of the incident status.”
Changed "outcome" to "status"
I think this is ok
The "style" is to only include new suggested relationships.
Waiting on other Incident proposal - https://github.com/os-threat/cti-stix-common-objects
NEW COMMENTS BELOW 2/8/24
This has been changed to "An Event is an activity that has a harmful effect on the defender/victim."
Changed to "The category of impact this object applies to."
Changed to: Because these extensions are used to specify very different types of impacts, producers SHOULD use one and only one of these extensions. However, additional extensions might be proposed in the future and might be used in conjunction with one of these. Producers and consumers are terms from the spec's Conformance section
Changed to "decimal digits". I think fidelity is a slightly different concept than precision.
Changed to: A Task is an activity that is performed by or for the victim/defender to respond to the attack.
/Comments 2/12/24
comments 2/13/24
comments 2/14/24
comments 2/15/24
Probably :-)
Not recommended