diff --git a/extension-definition-specifications/identity-contact-information/Identity Contact Information.docx b/extension-definition-specifications/identity-contact-information/Identity Contact Information.docx index bc8e2c6c997..b9bb6dfbaa7 100644 Binary files a/extension-definition-specifications/identity-contact-information/Identity Contact Information.docx and b/extension-definition-specifications/identity-contact-information/Identity Contact Information.docx differ diff --git a/extension-definition-specifications/identity-contact-information/examples/contact_details.json b/extension-definition-specifications/identity-contact-information/examples/contact_details.json index eb40962b1f7..9aff4b94025 100644 --- a/extension-definition-specifications/identity-contact-information/examples/contact_details.json +++ b/extension-definition-specifications/identity-contact-information/examples/contact_details.json @@ -25,6 +25,7 @@ { "contact_number": "123-456-7890", "contact_number_type": "work-phone" + "classified": true }, { "contact_number": "123-456-7891", @@ -71,4 +72,4 @@ "account_type": "fake service" } ] -} \ No newline at end of file +} diff --git a/extension-definition-specifications/identity-contact-information/extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498.json b/extension-definition-specifications/identity-contact-information/extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498.json index 6b4ff2c1e8f..d7333b79a7b 100644 --- a/extension-definition-specifications/identity-contact-information/extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498.json +++ b/extension-definition-specifications/identity-contact-information/extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498.json @@ -30,6 +30,11 @@ "type": "string", "description": "The contact number. Typically a phone number." }, + "classified": { + "type": "boolean", + "default": false + "description": "Can be used to reach the individual on a classified phone." + }, "contact_number_type": { "type": "string", "description": "The type of number this is used for. This SHOULD be drawn from contact-number-ov." @@ -56,6 +61,11 @@ "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json", "pattern": "^email-addr--" }, + "classified": { + "type": "boolean", + "default": false + "description": "Can be used to reach the individual on a classified network." + }, "digital_contact_type": { "type": "string", "description": "The type of email that address is used for. This SHOULD be drawn from digital-contact-ov." @@ -82,6 +92,11 @@ "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json", "pattern": "^user-account--" }, + "classified": { + "type": "boolean", + "default": false + "description": "Can be used to reach the individual on a classified network." + }, "digital_contact_type": { "type": "string", "description": "The type of social media account that relates to. This SHOULD be drawn from digital-contact-ov." @@ -113,5 +128,25 @@ "type": "string", "description": "A suffix for the individual such as “PhD”" } + }, + "definitions": { + "contact-number-ov": { + "type": "string", + "enum": [ + "personal-landline-phone", + "personal-mobile-phone", + "personal-fax", + "work-phone", + "work-fax" + ] + }, + "digital-number-ov": { + "type": "string", + "enum": [ + "organizational", + "personal", + "work" + ] + } } -} \ No newline at end of file +} diff --git a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc index 1d49efb82bb..2cbcaee6370 100644 --- a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc +++ b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc @@ -76,7 +76,7 @@ toc::[] The current STIX 2.1 Incident object exists as a stub in the hopes that future work would allow STIX Incidents to be more fully fleshed out using extensions, and that in time a set of core features could be defined to be migrated into a future version of the Incident object or the community could arrive at the consensus to continue to use these extensions. In the 1.0 version of the core incident extension information on impact, events, and tasks were embedded within the Incident itself, however this was found to have limitations. -As such a 2.0 version of this extension has been created in order to separate these components into independent SDOs to more complex incidents to be accurately modeled. +As such a 2.0 version of this extension has been created in order to separate these components into independent SDOs for more complex incidents to be accurately modeled. These extensions allow tracking incidents across their life cycle where Events are first flagged for investigation resulting in [stixtype]#{incident_url}[incidents]# with [stixtype]#<># being worked to resolve these. Incidents have [stixtype]#<># that change over time. @@ -95,7 +95,7 @@ The Incident object should have sufficient properties to represent the current s === 2.1. Incident Core -The properties and additional types within the Incident Core Extension are defined below. As this is not a top-level object, fields such as identifier are not present. This extension *MUST* use [stixliteral]#extension-definition--ef765651-680c-498d-9894-99799f2fa126# as its extension ID. +The properties and additional types within the Incident Core Extension are defined below. As this is an extension of a top-level object, fields such as identifier are not present. This extension *MUST* use [stixliteral]#extension-definition--ef765651-680c-498d-9894-99799f2fa126# as its extension ID. <<< @@ -108,7 +108,7 @@ The properties and additional types within the Incident Core Extension are defin |*determination* (required) |[stixtype]#<># |A high level determination on the outcome of this incident. -This *SHOULD* be [stixliteral]#suspected# until enough information is available to provide a well researched result. +The value of this property *SHOULD* be [stixliteral]#suspected# until enough information is available to provide a well researched result. Some automated tools may flag results as blocked or low-value automatically depending on the tool type or activity. A tool that blocks a series of phishing emails may create an incident with a blocked determination automatically. @@ -134,7 +134,7 @@ This value *MUST* be between 0 to 100. This can be translated into qualitative v |*detection_methods* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{open_vocab_url}[open-vocab]# |A list of strings containing what was used to detect the activity, e.g., commercial tool names, techniques associated with proprietary solutions, human review, external sources, or other methods. -This should draw from the [stixtype]#<>#. +These values *SHOULD* be selected from the [stixtype]#<># open vocabulary. |*events* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#<># @@ -157,13 +157,13 @@ To affirmatively state no entities of a given class were impacted they should be |[stixtype]#{list_url}[list]# of type [stixtype]#{open_vocab_url}[open-vocab]# |This property uses an Open Vocabulary that specifies the type of incident that occurred, if applicable. -This is an open vocabulary and values *SHOULD* come from the [stixtype]#<>#. +The values of this property *SHOULD* come from the [stixtype]#<># open vocabulary. |*recoverability* (optional) |[stixtype]#<># |The recoverability of this particular Incident with respect to feasibility and required time and resources. -The values of this property *MUST* come from the [stixtype]#<># +The value of this property *MUST* come from the [stixtype]#<># enumeration. |*scores* (optional) @@ -245,6 +245,7 @@ This can be used to supplement the created_by_ref in cases where external author [[event]] === 2.2. Event +This new sdo extension *MUST* use [stixliteral]#extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e# as its extension ID. [width="100%",cols="100%",stripes=odd] |=== ^|[stixtr]*Required Common Properties* @@ -293,6 +294,9 @@ This can be used to supplement the created_by_ref in cases where external author |[stixtype]#<># |The current status of the event. +The values of this property *MUST* come from the [stixtype]#<># +enumeration. + |*type* (required) |[stixtype]#{string_url}[string]# |The value of this property *MUST* be set to [stixliteral]#event#. @@ -310,21 +314,23 @@ This is typically used to indicate how an event has affected impacts. |[stixtype]#{timestamp_url}[timestamp]# |The date and time the event was last recorded. If this is not present it is assumed to be unknown. +If *start_time* and *end_time* properties are both defined, then end_time *MUST* be later than the start_time value. + |*end_time_fidelity* (optional) |[stixtype]#<># |The level of fidelity that the end_time is recorded in. -This value *MUST* come from [stixtype]#<>#. +This value *MUST* come from [stixtype]#<># enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimals it includes. |*event_types* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{open_vocab_url}[open-vocabulary]# |High level types for the event in order to enable aggregation and summaries. -This should be drawn from [stixtype]#<>#. +The value of this property *SHOULD* come from the [stixtype]#<># open vocabulary. |*goal* (optional) |[stixtype]#{string_url}[string]# -|The assumed objective of this event. +|The assumed goal, objective, desired outcome, or intended effect of this event. Not all events have goals. |*name* (optional) @@ -349,7 +355,7 @@ This property *SHOULD* be populated. |*start_time_fidelity* (optional) |[stixtype]#<># |The level of fidelity that the start_time is recorded in. This value -*MUST* come from [stixtype]#<>#. +*MUST* come from [stixtype]#<># enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimals it includes. @@ -425,6 +431,7 @@ For example, a dropper running allowed a ransomware tool to be downloaded and ru <<< [[impact]] === 2.3. Impact +This new sdo extension *MUST* use [stixliteral]#extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9# as its extension ID. [width="100%",cols="100%",stripes=odd] |=== @@ -494,16 +501,18 @@ This property *SHOULD* be populated if the impact is resolved or mitigated. If the *superseded_by_ref* property is included this *MUST* be included. +If *start_time* and *end_time* properties are both defined, then end_time *MUST* be later than the start_time value. + |*end_time_fidelity* (optional) |[stixtype]#<># |The level of fidelity that the end_time is recorded in. -This value *MUST* come from [stixtype]#<>#. +This value *MUST* come from [stixtype]#<># enumeration. |*impacted_entity_counts* (optional) |[stixtype]#<># |An optional listing of the entity types that were impacted and how many of each were affected. -If this field is not present it should be assumed that this information is not being shared, not that there were no impacted entities. +If this property is not present it should be assumed that this information is not being shared, not that there were no impacted entities. |*impacted_refs* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]# @@ -511,9 +520,9 @@ If this field is not present it should be assumed that this information is not b |*recoverability* (optional) |[stixtype]#<># -|The recoverability of this particular integrity impact with respect to feasibility and required time and resources. +|The recoverability of this particular impact with respect to feasibility and required time and resources. -The values of this property *MUST* come from the [stixtype]#<># enumeration +The value of this property *MUST* come from the [stixtype]#<># enumeration. |*start_time* (optional) |[stixtype]#{timestamp_url}[timestamp]# @@ -524,7 +533,7 @@ This property *SHOULD* be populated. |*start_time_fidelity* (optional) |[stixtype]#<># |The level of fidelity that the start_time is recorded in. -This value *MUST* come from [stixtype]#<>#. +This value *MUST* come from [stixtype]#<># enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimals it includes. @@ -535,7 +544,7 @@ accurate up to the number of decimals it includes. This allows capturing how the severity of this impact changes over time. When populated the impact *MUST* have an *end_time*. -It also *MUST* reference an [stixtype]#<># of the same as *impact_category*. +It also *MUST* reference an [stixtype]#<># of the same as the *impact_category* property. |=== @@ -585,7 +594,7 @@ This value *MUST* be between 0 to 100. This can be translated into qualitative v |[stixtype]#{open_vocab_url}[open-vocab]# |The type of information that had its confidentiality compromised. This can include control systems and other processes that can result in virtual or physical impacts. -This *SHOULD* be drawn from [stixtype]#<>#. +The value of this property *SHOULD* come from the [stixtype]#<> open vocabulary#. This value *MUST* be included if the loss_type is not none. Including an entry with loss_type of none and no information_type indicates that no information had its confidentiality impacted by this incident. @@ -593,6 +602,8 @@ This value *MUST* be included if the loss_type is not none. Including an entry w |[stixtype]#<># |The type of loss that occurred to the relevant information +The values of this property *MUST* come from the [stixtype]#<># enumeration. + |*record_count* (optional) |[stixtype]#{int_url}[integer]# |The number of records of this type that were compromised. The value of this property *MUST NOT* be negative. @@ -612,7 +623,9 @@ This value *MUST* be included if the loss_type is not none. Including an entry w |*impact_type* (required) |[stixtype]#{open_vocab_url}[open-vocab]# -|The type of impact outside of the direct organization that should be drawn from [stixtype]#<>#. +|The type of impact outside of the direct organization. + +The value of this property *SHOULD* come from the [stixtype]#<># open vocabulary. |=== <<< @@ -631,14 +644,14 @@ This value *MUST* be included if the loss_type is not none. Including an entry w |[stixtype]#<># |The type of alteration performed against the information_type. -The values of this property *MUST* come from the [stixtype]#<># enumeration. +The value of this property *MUST* come from the [stixtype]#<># enumeration. |*information_type* (optional) |[stixtype]#{open_vocab_url}[open-vocab]# |The type of information that had its integrity compromised. This can include control systems and other processes that can result in virtual or physical impacts. -This *SHOULD* be drawn from [stixtype]#<>#. +The value of this property *SHOULD* come from the [stixtype]#<># open vocabulary. This value *MUST* be included if the alternation is not none. Including an entry that with an alteration of none and no information_type indicates that no information had its integrity impacted by this incident. @@ -667,21 +680,21 @@ Including an entry that with an alteration of none and no information_type indic |[stixtype]#{open_vocab_url}[open-vocab]# |The variety of this monetary impact. -The values of this property *SHOULD* come from the [stixtype]#<>#. +The value of this property *SHOULD* come from the [stixtype]#<># open vocabulary. |*conversion_rate* (optional) |[stixtype]#{number_url}[number]# -|The conversion rate between *currency* and *currency_actual*. -This *MUST NOT* be included if currency_actual is not included. -This *MUST* be included if currency_actual is included. +|The conversion rate between the *currency* and *currency_actual* properties. +This *MUST NOT* be included if the *currency_actual* property is not included. +This *MUST* be included if the *currency_actual* property is included. This value *MUST* be greater than zero. -This value *MUST* be included if the *min_amount* is included. +This value *MUST* be included if the *min_amount* property is included. |*conversion_time* (optional) |[stixtype]#{timestamp_url}[timestamp]# -|The timestamp when the *conversion_rate* was queried. -This *MUST* be included if a *conversion_rate* is included. +|The timestamp when the conversion rate was queried. +This *MUST* be included if a *conversion_rate* property is included. |*currency* (optional) |[stixtype]#{string_url}[string]#| @@ -689,15 +702,15 @@ The currency that the max_amount and min_amount fields use. This *SHOULD* be an ISO 4217 alpha currency code or the official currency code for the relevant cryptocurrency. This *SHOULD* match an organizations own primary currency, or for government reporting the currency requested by that government for these reports. -This value *MUST* be included if the *min_amount* is included. +This value *MUST* be included if the *min_amount* property is included. |*currency_actual* (optional) |[stixtype]#{string_url}[string]#| The currency that the impact actually used. For ransom demands this should be the currency of the demand. -If this is not included it should be assumed to be the same value as *currency*. +If this is not included it should be assumed to be the same value as the *currency* property. -If this is included then *currency* *MUST* be included. +If this is included then the *currency* property *MUST* be included. This *SHOULD* be an ISO 4217 alpha currency code or the official currency code for the relevant cryptocurrency. |*max_amount* (optional) @@ -705,14 +718,14 @@ This *SHOULD* be an ISO 4217 alpha currency code or the official currency code f |The maximum damage estimate of this type in the provided currency. This value *MUST* be greater than zero. -This value *MUST* be included if the *min_amount* is included. +This value *MUST* be included if the *min_amount* property is included. |*min_amount* (optional) |[stixtype]#{number_url}[number]# |The minimum damage estimate of this type in the provided currency. This value *MUST* be greater than zero. -This value *MUST* be included if the *max_amount* is included. +This value *MUST* be included if the *max_amount* property is included. |=== @@ -730,14 +743,14 @@ This value *MUST* be included if the *max_amount* is included. |[stixtype]#<># |The type of physical impact that has occurred. -The values of this property *MUST* come from the [stixtype]#<># +The value of this property *MUST* come from the [stixtype]#<># enumeration. |*asset_type* (optional) |[stixtype]#{open_vocab_url}[open-vocab]# |The type or property or system that was affected by this impact. -This *SHOULD* be drawn from [stixtype]#<>#. +The value of this property *SHOULD* come from the [stixtype]#<># open vocabulary. This value *MUST* be included if the *impact_type* is not none. Including an entry with an *impact_type* of none and no asset_type indicates that no physical damage was caused by this incident. @@ -756,7 +769,7 @@ Including an entry with an *impact_type* of none and no asset_type indicates tha |[stixtype]#<># |The impact of this incident on a system or organization's ability to perform audits or provide non-repudiation. -The values of this property *MUST* come from the [stixtype]#<># enumeration +The value of this property *MUST* come from the [stixtype]#<># enumeration. |=== @@ -814,6 +827,8 @@ The values of this property *MUST* come from the [stixtype]#<># |The outcome of the task. +The value of this property *MUST* come from the [stixtype]#<># enumeration. + |*type* (required) |[stixtype]#{string_url}[string]# |The value of this property *MUST* be set to [stixliteral]#task#. @@ -826,7 +841,7 @@ This is typically used to indicate how an task has affected impacts. |*task_types* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#{open_vocab_url}[open-vocabulary]# |A list of high level types for the task in order to enable aggregation and summaries. -This should be drawn from [stixtype]#<>#. +The values of this property *SHOULD* come from the [stixtype]#<># open vocabulary. |*description* (optional) |[stixtype]#{string_url}[string]# @@ -839,7 +854,7 @@ This should be drawn from [stixtype]#<>#. |*end_time_fidelity* (optional) |[stixtype]#<># |The level of fidelity that the end_time is recorded in. -This value *MUST* come from [stixtype]#<>#. +This value *MUST* come from [stixtype]#<># enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimals it includes. @@ -873,7 +888,7 @@ This property *SHOULD* be populated. |*start_time_fidelity* (optional) |[stixtype]#<># |The level of fidelity that the start_time is recorded in. This value -*MUST* come from [stixtype]#<>#. +*MUST* come from [stixtype]#<># enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimals it includes. @@ -991,7 +1006,7 @@ Using these embedded relationships ensure that an incomplete sequence cannot be The Entity Count type represents the count of one or more entity types. The name of each entity type *MUST* be specified as a key in the dictionary and *MUST* identify the count of the entity that corresponds to the value. -Each key *SHOULD* come from [stixtype]#<>#. +Each key *SHOULD* come from [stixtype]#<># open vocabulary. This value *MUST* be an [stixtype]#{int_url}[integer]# that is equal to or greater than zero. *Examples:* @@ -1039,7 +1054,7 @@ _0 individuals_ |*event_ref* (required) |[stixtype]#{identifier_url}[identifier]# |The event that is described by this entry. -This *MUST* reference [stixtype]#<>#. +This *MUST* reference an [stixtype]#<># object. |*next_steps* (optional) |[stixtype]#{list_url}[list]# of type [stixtype]#<># @@ -1081,11 +1096,15 @@ This reference *MUST* be included as an *event_ref* within the parent array of [ |If the referenced step required the current one to be successful. If it is optional, or if it is unknown. +The values of this property *MUST* come from the [stixtype]#<># enumeration. + |*transition_type* (required) |[stixtype]#<># |What state the referenced step depends on. If it is performed upon success, failure, simple completion, or if it is unknown. +The values of this property *MUST* come from the [stixtype]#<># enumeration. + |=== <<< @@ -1110,7 +1129,7 @@ If it is performed upon success, failure, simple completion, or if it is unknown |*description* (optional) |[stixtype]#{string_url}[string]# -|An optional description about how this score was calculated at for systems that provide these. +|An optional description about how this score was calculated for systems that provide this information. |=== <<< @@ -1132,7 +1151,7 @@ The *initial_ref* or *result_ref* *MUST* be populated. |[stixtype]#{open_vocab_url}[open-vocabulary]# |How this activity influenced the change in state between the *initial_ref* and *result_ref*. -This *SHOULD* be drawn from [stixtype]#<>#. +The value of this property *SHOULD* come from the [stixtype]#<># open vocabulary. |*initial_ref* (optional) |[stixtype]#{identifier_url}[identifier]# @@ -1211,6 +1230,8 @@ As these are always stored in an array of steps within an array of task entries |If the referenced step required the current one to be successful. If it is optional, or if it is unknown. +The values of this property *MUST* come from the [stixtype]#<># enumeration. + |*task_ref* (required) |[stixtype]#{identifier_url}[identifier]# |The identity of the event that is described by this entry. @@ -1222,6 +1243,8 @@ This reference *MUST* be included as an *task_ref* within the parent array of [s |What state the referenced step depends on. If it is performed upon success, failure, simple completion, or if it is unknown. +The values of this property *MUST* come from the [stixtype]#<># enumeration. + |=== <<< @@ -1893,7 +1916,7 @@ The destruction or encryption of this data can cause availability impacts. |[stixliteral]#input# |This task or event took in a group as an input for automated or playbook activities. -If this is selected *initial_ref* MUST be populated. +If this is selected the *initial_ref* property *MUST* be populated. |[stixliteral]#mitigated# |This task or event lessened the severity of the initial object. @@ -1901,7 +1924,7 @@ If this is selected *initial_ref* MUST be populated. |[stixliteral]#output# |This task or event produced a group as an output as part of automated or playbook activities. -If this is selected *result_ref* MUST be populated. +If this is selected the *result_ref* property *MUST* be populated.. |[stixliteral]#resolved# |This task or event resolved the initial object. @@ -2662,4 +2685,4 @@ Added [stixliteral]#ransom-demand# and [stixliteral]#ransom-payment# to [stixtyp |Richard Piazza and Jeffrey Mates |Multiple editorial fixes, removing copy paste errors and obsolete relationships. -|=== \ No newline at end of file +|===