Skip to content

Commit

Permalink
Merge branch 'fix-incident-schema'
Browse files Browse the repository at this point in the history
  • Loading branch information
@rpiazza
rpiazza committed Oct 7, 2024
2 parents 2d9e0b3 + 483a460 commit 16d5bd9
Show file tree
Hide file tree
Showing 5 changed files with 42 additions and 272 deletions.
89 changes: 13 additions & 76 deletions ...ations/incident-ef7/event/extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,10 @@
"title": "Event",
"description": "An extension for recording events in STIX.",
"type": "object",
"unevaluatedProperties": false,
"required": [
"extensions"
, "status"
, "type"
"extensions",
"status",
"type"
],
"allOf": [
{
Expand All @@ -33,17 +32,12 @@
}
}
},
"created": {},
"modified": {},
"spec_version": {},
"labels": {},
"external_references": {},
"type": {
"type": "string",
"const": "event"
},
"id": {
"type": "string",
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
"pattern": "^event--"
},
"event_types": {
Expand Down Expand Up @@ -131,72 +125,15 @@
"pattern": "^sighting--"
}
},
"subevents": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/Event_Sequence"
}
}
}
}
],
"definitions": {
"Event_Sequence": {
"type": "object",
"additionalProperties": false,
"required": ["event_ref"],
"properties": {
"event_ref": {
"type": "string",
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
"pattern": "^event--",
"description": "The event"
},
"sequence_start": {
"type": "boolean",
"description": "If this event is the start of a sequence.",
"default": true
},
"next_steps": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"required": [
"condition_type",
"event_ref",
"transition_type"
],
"properties": {
"condition_type": {
"type": "string",
"enum": [
"optional",
"required",
"unknown"
]
},
"event_ref": {
"type": "string",
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
"pattern": "^event--"
},
"transition_type": {
"type": "string",
"description": "What end-state causes the target to begin",
"enum": [
"completion",
"failure",
"success",
"unknown"
]
}
}
"next_event_refs": {
"type": "array",
"items": {
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
"pattern": "^event--"
}
}
},
"unevaluatedProperties": false
}
}
}
}
]
}
2 changes: 1 addition & 1 deletion extension-definition-specifications/incident-ef7/examples/example_2.1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
"investigation_status": "open",
"criticality": 70,
"detection_methods": [
"automated-tool",
"automated-tools",
"human-review"
],
"event_refs": [
Expand Down
128 changes: 10 additions & 118 deletions ...ecifications/incident-ef7/extension-definition--ef765651-680c-498d-9894-99799f2fa126.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,18 +51,22 @@
}
}
},
"events": {
"event_refs": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/Event_Sequence"
"type": "string",
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
"pattern": "^event--"
}
},
"tasks": {
"task_refs": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/Task_Sequence"
"type": "string",
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
"pattern": "^task--"
}
},
"determination": {
Expand Down Expand Up @@ -134,118 +138,6 @@
}
],
"definitions": {
"Event_Sequence": {
"type": "object",
"additionalProperties": false,
"required": ["event_ref"],
"properties": {
"event_ref": {
"type": "string",
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
"pattern": "^event--",
"description": "The event"
},
"sequence_start": {
"type": "boolean",
"description": "If this event is the start of a sequence.",
"default": true
},
"next_steps": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"required": [
"condition_type",
"event_ref",
"transition_type"
],
"properties": {
"condition_type": {
"type": "string",
"enum": [
"optional",
"required",
"unknown"
]
},
"event_ref": {
"type": "string",
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
"pattern": "^event--"
},
"transition_type": {
"type": "string",
"description": "What end-state causes the target to begin",
"enum": [
"completion",
"failure",
"success",
"unknown"
]
}
}
}
}
}
},
"Task_Sequence": {
"type": "object",
"additionalProperties": false,
"required": ["task_ref"],
"properties": {
"task_ref": {
"type": "string",
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
"pattern": "^task--",
"description": "The event or task"
},
"sequence_start": {
"type": "boolean",
"description": "If this task is the start of a sequence.",
"default": true
},
"next_steps": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"required": [
"condition_type",
"task_ref",
"transition_type"
],
"properties": {
"condition_type": {
"type": "string",
"enum": [
"optional",
"required",
"unknown"
]
},
"task_ref": {
"type": "string",
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
"pattern": "^task--"
},
"transition_type": {
"type": "string",
"description": "What end-state causes the target to begin",
"enum": [
"completion",
"failure",
"success",
"unknown"
]
}
}
}
}
}
},
"Recoverability": {
"type": "string",
"description": "The scope of impact required to recover from an incident",
Expand All @@ -256,7 +148,7 @@
"extended",
"not-recoverable"
],
"$comment": "This is a closed vocabulary: non-applicable is an addition to what is found on https://us-cert.cisa.gov/incident-notification-guidelines for Incident reports that do not have associated recover costs. For example a phishing email that was detected successfully."
"$comment": "This is a closed vocabulary (enumeration): non-applicable is an addition to what is found on https://us-cert.cisa.gov/incident-notification-guidelines for Incident reports that do not have associated recover costs. For example a phishing email that was detected successfully."
}
}
}
}
8 changes: 6 additions & 2 deletions ...efinition-specifications/incident-ef7/tables/incident_relationship_summary.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,17 @@
^|*Type*
^|*Target*

|[stixtype]#<<event,event>>#
|[stixrelationship]#causes#
|[stixtype]#<<impact,impact>>#

|[stixtype]#<<event,event>>#
|[stixrelationship]#impacts#
|[stixtype]#{infrastructure_url}[infrastructure]#

|[stixtype]#<<event,event>>#
|[stixrelationship]#led-to#
|[stixtype]#<<event,event>>#
|[stixtype]#<<task,task>>#

|[stixtype]#<<event,event>>#
|[stixrelationship]#located-at#
Expand Down Expand Up @@ -62,7 +66,7 @@

|[stixtype]#{identity_url}[identity]#
|[stixrelationship]#performed#
|[stixtype]#<<task,task>>#
|[stixtype]#<<task,task>>#, #<<event,event>>#,

|[stixtype]#{incident_url}[incident]#
|[stixrelationship]#attributed-to#
Expand Down
Loading

0 comments on commit 16d5bd9

Please sign in to comment.