vz-risk / veris

Vocabulary for Event Recording and Incident Sharing (VERIS)
http://verisframework.org
Other
574 stars 161 forks source link

Choosing 'Unknown' as a variety or vector implies that the parent was known. #269

Open gdbassett opened 5 years ago

gdbassett commented 5 years ago

When coding veris, only select 'Unknown' when it is known the parent existed, but nothing else is known. If it is not known the parent existed, select nothing under the parent.

For example, if you are aware a hacking action occurred, but nothing else, choose 'action.hacking.variety.Unknown. If you are unaware of if a hacking action occurred, select nothing under action.hacking.

Another common example is in event_chain. Choosing "event_chain.money laundering.variety.Unknown" means Money Laundering occurred. Choosing no variety of money laundering means nothing is known about whether money laundering occurred or not.

gdbassett commented 2 years ago

Update "Unknown" definitions to reflect this:

"The parent is known to exist but this <variety/etc> is unknown. If it is unknown if the parent exists as well, don't select anything."