OASIS Cyber Threat Intelligence (CTI) TC

Hi, Below are the consolidated notes from the meeting today. Please chime in if I captured something incorrectly. Also, please let me know if I missed your attendance. Participants Jyoti Verma, Sam Zargar, Allan Thomson, Ben Sooter, Bret Jordan, Gary, John-Mark, John Wunder, Sourabh Satish, Henry, Jefferey Mates, Duncan Sparrel, Nicolas   Minutes: We went over the use case that Jeff shared and started building out the COA object using the example We should also have post conditions (on_success, on_failure) along with preconditions (requires_success, requires_failure) - Allan The action details could be captured in a property of it own eg. "openc2" and this could be a blob - Bret No need for a "type" attribute to capture the action type - John –Mark We could represent the action in cybox observable style - John –Mark The “start_index” field could capture which action to start with We went over different options for linking the different actions as called out below      Open Questions and Options to think about (thanks Bret): Should linkages between atomic COA elements be linked with an 'integer' or should they be linked via a text `string`? Should the atomic COA elements look like STIX elements or Cyber Observable elements?  Namely, should the name/id be inside the object or should it be a map   Option 1: using id to map the linkage - STIX style {   "type": "course-of-action",   "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",   "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",   "created": "2016-04-06T20:03:48.000Z",   "modified": "2016-04-06T20:03:48.000Z",   "name": "Some top level name for the COA",   "description": "Some top level description for the COA".   "actions": [     {       "action_id": 1,       "name": "name of COA action",       "description": "some description or human course of action",       "on_success": [2],       "on_failure": [3],       "requires_success": [],       "requires_failure": [],       "openc2": "some openc2 command"     },     {       "action_id": 2,       "name": "name of COA action",       "description": "some description or human course of action",       "on_success": [4],       "on_failure": [3],       "requires_success": [1],       "requires_failure": [],       "openc2": "some openc2 command"     }   ] }   Option 2 : using names to map the linkage – STIX style {   "type": "course-of-action",   "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",   "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",   "created": "2016-04-06T20:03:48.000Z",   "modified": "2016-04-06T20:03:48.000Z",   "name": "Some top level name for the COA",   "description": "Some top level description for the COA".   "actions": [     {       "name": "some name 1",       "description": "some description or human course of action",       "on_success": ["some name 2"],       "on_failure": ["some name 3"],       "requires_success": [],       "requires_failure": [],       "openc2": "some openc2 command"     },     {       "name": "some name 2",       "description": "some description or human course of action",       "on_success": ["some name 4"],       "on_failure": ["some name 3"],       "requires_success": ["some name 1"],       "requires_failure": [],       "openc2": "some openc2 command"     }   ] }   Another thing we talked about was how to have the keys be determined.  The two examples above are in STIX like style.  The next two are Cyber Observable style   Option 3: using id to map the linkage - Cyber Observable style {   "type": "course-of-action",   "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",   "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",   "created": "2016-04-06T20:03:48.000Z",   "modified": "2016-04-06T20:03:48.000Z",   "name": "Some top level name for the COA",   "description": "Some top level description for the COA".   "actions": {     "1": {       "name": "name of COA action",       "description": "some description or human course of action",       "on_success": [2],       "on_failure": [3],       "requires_success": [],       "requires_failure": [],       "openc2": "some openc2 command"     },     "2": {       "name": "name of COA action",       "description": "some description or human course of action",       "on_success": [4],       "on_failure": [3],       "requires_success": [1],       "requires_failure": [],       "openc2": "some openc2 command"     }   } }   Option 4: using names to map the linkage - Cyber observable style {   "type": "course-of-action",   "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",   "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",   "created": "2016-04-06T20:03:48.000Z",   "modified": "2016-04-06T20:03:48.000Z",   "name": "Some top level name for the COA",   "description": "Some top level description for the COA".   "actions": {     "some name 1": {       "description": "some description or human course of action",       "on_success": ["some name 2"],       "on_failure": ["some name 3"],       "requires_success": [],       "requires_failure": [],       "openc2": "some openc2 command"     },     "some name 2": {       "description": "some description or human course of action",       "on_success": ["some name 4"],       "on_failure": ["some name 3"],       "requires_success": ["some name 1"],       "requires_failure": [],       "openc2": "some openc2 command"     }   } } Agenda for next meeting: Identify the option that will work for most use cases  Go over Sarah’s use cases  Discuss topics that didn’t get covered this time around Define relationship types for COAs Should the STIX COA support time based sequencing? Topics for F2F Thanks, Jyoti Technical Leader Office of the CTO, Security Business Group, Cisco Systems From: < cti@lists.oasis-open.org > on behalf of OASIS Open < workgroup_mailer@lists.oasis-open.org > Date: Friday, May 5, 2017 at 10:43 AM To: < cti@lists.oasis-open.org > Subject: [cti] STIX COA mini group call Submitter's message Follow on call for STIX COA -- Ms. Jyoti Verma Event Title : STIX COA mini group call Date : Monday, 08 May 2017, 12:00pm to 01:00pm PDT Location : Webex Description STIX COA working group follow on call   Join WebEx meeting    Meeting number: 208 034 411   Meeting password: tecePfxH (83237394 from phones)        Join from a video conferencing system or application Dial 208034411@cisco.webex.com    From the Cisco internal network, dial *267* and the 9-digit meeting number. If you are the host, enter your PIN when prompted.          If you are a host, go here to view host information.   Join by phone   +1-866-432-9903  Call-in toll-free number (US/Canada)   +1-408-525-6800  Call-in toll number (US/Canada)   Access code: 208 034 411   Global call-in numbers       Toll-free calling restrictions          Can't join the meeting? Contact support.       IMPORTANT NOTICE: Please note that this WebEx service allows audio and other information sent during the session to be recorded, which may be discoverable in a legal matter. By joining this session, you automatically consent to such recordings. If you do not consent to being recorded, discuss your concerns with the host or do not join the session.. Agenda Agenda: Discuss use cases Define relationship types for COAs Should the STIX COA support time based sequencing?  How should STIX COA work with and make use of automated actions like OpenC2? Topics for F2F Owner : Ms. Jyoti Verma Group : OASIS Cyber Threat Intelligence (CTI) TC Sharing : This event is shared with the OASIS Open (General Membership), and General Public groups. Public Event Link Learn more about subscribing here . View the OASIS Cyber Threat Intelligence (CTI) TC calendar here . You may receive future notifications with updates to this event. Update the event on your calendar by accepting the changes. STIX COA working group follow on call https://cisco.webex.com/ciscosales/j.php?MTID=m888a682f4e1cd5852c08b0371b0e9d42 Meeting number: 208 034 411 Meeting password: tecePfxH (83237394 from phones) Join from a video conferencing system or application Dial 208034411@cisco.webex.com From the Cisco internal network, dial *267* and the 9-digit meeting number. If you are the host, enter your PIN when prompted. If you are a host, https://cisco.webex.com/ciscosales/j.php?MTID=m5e2929ccb74bc31fbc8a35626cb60f47 to view host information. Join by phone +1-866-432-9903 Call-in toll-free number (US/Canada) +1-408-525-6800 Call-in toll number (US/Canada) Access code: 208 034 411 https://cisco.webex.com/ciscosales/globalcallin.php?serviceType=MC&ED=385072362&tollFree=1 https://www.webex.com/pdf/tollfree_restrictions.pdf Can't join the meeting? https://cisco.webex.com/ciscosales/mc IMPORTANT NOTICE: Please note that this WebEx service allows audio and other information sent during the session to be recorded, which may be discoverable in a legal matter. By joining this session, you automatically consent to such recordings. If you do not consent to being recorded, discuss your concerns with the host or do not join the session.. Agenda: Agenda: Discuss use cases Define relationship types for COAs Should the STIX COA support time based sequencing? How should STIX COA work with and make use of automated actions like OpenC2? Topics for F2F Group: OASIS Cyber Threat Intelligence (CTI) TC Creator: Ms. Jyoti Verma --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php