From 24c8dd7e35be0fbf9bf3e764ecf25f27b85f1faa Mon Sep 17 00:00:00 2001
From: Ali Zaini <azaini@mitre.org>
Date: Tue, 28 Nov 2023 14:24:39 -0500
Subject: [PATCH 01/10] initial commit of section examples

---
 .../incident-core/examples/example_2.1.json   | 41 +++++++++++++++++++
 .../incident-core/examples/example_2.2.json   | 24 +++++++++++
 .../incident-core/examples/example_2.3.json   | 17 ++++++++
 .../incident-core/examples/example_2.4.json   | 24 +++++++++++
 .../incident-core/examples/example_3.2.json   | 11 +++++
 .../incident-core/examples/example_3.3.json   |  5 +++
 .../incident-core/examples/example_3.4.json   |  7 ++++
 .../incident-core/examples/example_3.5.json   |  7 ++++
 .../incident-core/examples/example_3.6.json   | 11 +++++
 .../incident-core/examples/example_3.7.json   |  5 +++
 10 files changed, 152 insertions(+)
 create mode 100644 extension-definition-specifications/incident-core/examples/example_2.1.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_2.2.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_2.3.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_2.4.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_3.2.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_3.3.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_3.4.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_3.5.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_3.6.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_3.7.json

diff --git a/extension-definition-specifications/incident-core/examples/example_2.1.json b/extension-definition-specifications/incident-core/examples/example_2.1.json
new file mode 100644
index 00000000000..30872612eca
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_2.1.json
@@ -0,0 +1,41 @@
+{
+    "determination": "confirmed",
+    "extension_type": "property-extension",
+    "investigation_status": "open",
+    "criticality": 70,
+    "detection_methods": [
+        "automated-tool",
+        "human-review"
+    ],
+    "events": [
+        {
+            "event_ref": "event--9ca38544-c247-45d9-9e33-957ba7c9e119"
+        }
+    ],
+    "impact_refs": [
+        "impact--7a5806e4-0f37-4c48-9a50-7301bff4b195"
+    ],
+    "impacted_entity_counts": {
+        "individual": 100,
+        "employee": 70,
+        "customer-individual": 30
+    },
+    "incident_types": [
+        "hosting-phishing-sites"
+    ],
+    "recoverability": "regular",
+    "scores": [
+        {
+            "incident-score": {
+                "name": "ExampleSystem Automated Exposure Score",
+                "value": 75.5,
+                "description": "The score is calculated based on the severity of the incident and the potential impact on the organization."
+            }
+        }
+    ],
+    "tasks": [
+        {
+            "task_ref": "task--a45aaed9-6504-4f95-982e-78508726eb5a"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_2.2.json b/extension-definition-specifications/incident-core/examples/example_2.2.json
new file mode 100644
index 00000000000..7b62353dee6
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_2.2.json
@@ -0,0 +1,24 @@
+{
+    "type": "event",
+    "id": "event--68e1e976-7e3b-4233-8bde-1a5dbb17a9a6",
+    "status": "ongoing",
+    "changed_objects": [
+        {
+            "state_change": {
+                "state_change_type": "escalation",
+                "initial_ref": "impact--d1e4f6c7-3b1a-4b5c-8a5a-9e7b8a9a5b6c",
+                "result_ref": "impact--c1f2d3e4-5b6c-7a8d-9e0a-1b2c3d4e5f6g"
+            }
+        }
+    ],
+    "description": "Phishing attack on company email accounts.",
+    "end_time": "2023-11-22T15:30:00Z",
+    "end_time_fidelity": "minute",
+    "event_types": [
+        "phishing"
+    ],
+    "goal": "Gain unauthorized access to sensitive information.",
+    "name": "Phishing Attack",
+    "start_time": "2023-11-22T14:30:00Z",
+    "start_time_fidelity": "minute"
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.json b/extension-definition-specifications/incident-core/examples/example_2.3.json
new file mode 100644
index 00000000000..8d0b18dc378
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.json
@@ -0,0 +1,17 @@
+{
+    "type": "impact",
+    "id": "impact--f3e1a6f3-1a95-457a-84a7-887c2d9e5e7c",
+    "impact_category": "availability",
+    "criticality": 70,
+    "description": "Loss of availability for a critical service.",
+    "end_time": "2023-11-22T16:00:00Z",
+    "end_time_fidelity": "minute",
+    "impacted_entity_counts": {
+        "system": 1
+    },
+    "impacted_refs": [
+        "infrastructure--a1b2c3d4-5e6f-7a8d-9e0a-1b2c3d4e5f6g"
+    ],
+    "start_time": "2023-11-22T15:30:00Z",
+    "start_time_fidelity": "minute"
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_2.4.json b/extension-definition-specifications/incident-core/examples/example_2.4.json
new file mode 100644
index 00000000000..16174b18378
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_2.4.json
@@ -0,0 +1,24 @@
+{
+    "type": "task",
+    "id": "task--4e1e2a5a-6b3c-4d5e-8f6a-9e7b8a9a5b6c",
+    "outcome": "successful",
+    "changed_objects": [
+        {
+            "state_change": {
+                "state_change_type": "mitigated",
+                "initial_ref": "impact--f3e1a6f3-1a95-457a-84a7-887c2d9e5e7c",
+                "result_ref": "impact--c1f2d3e4-5b6c-7a8d-9e0a-1b2c3d4e5f6g"
+            }
+        }
+    ],
+    "description": "Mitigated the impact of the phishing attack.",
+    "end_time": "2023-11-22T16:30:00Z",
+    "end_time_fidelity": "minute",
+    "task_types": [
+        "blocked"
+    ],
+    "name": "Mitigation Task",
+    "priority": 80,
+    "start_time": "2023-11-22T15:30:00Z",
+    "start_time_fidelity": "minute"
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_3.2.json b/extension-definition-specifications/incident-core/examples/example_3.2.json
new file mode 100644
index 00000000000..492471c3607
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_3.2.json
@@ -0,0 +1,11 @@
+{
+    "event_ref": "event--68e1e976-7e3b-4233-8bde-1a5dbb17a9a6",
+    "next_steps": [
+        {
+            "event_ref": "event--f3e1a6f3-1a95-457a-84a7-887c2d9e5e7c",
+            "condition_type": "required",
+            "transition_type": "success"
+        }
+    ],
+    "sequence_start": true
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_3.3.json b/extension-definition-specifications/incident-core/examples/example_3.3.json
new file mode 100644
index 00000000000..bbfd5439ced
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_3.3.json
@@ -0,0 +1,5 @@
+{
+    "event_ref": "event--f3e1a6f3-1a95-457a-84a7-887c2d9e5e7c",
+    "condition_type": "required",
+    "transition_type": "success"
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_3.4.json b/extension-definition-specifications/incident-core/examples/example_3.4.json
new file mode 100644
index 00000000000..ac18775b665
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_3.4.json
@@ -0,0 +1,7 @@
+{
+    "type": "incident-score",
+    "id": "incident-score--b0e7e6a5-6e2c-4a0b-8d5a-8a5e92a5a5bc",
+    "name": "ExampleSystem Automated Exposure Score",
+    "value": 75.5,
+    "description": "The score is calculated based on the severity of the incident and the potential impact on the organization."
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_3.5.json b/extension-definition-specifications/incident-core/examples/example_3.5.json
new file mode 100644
index 00000000000..d44405a40e5
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_3.5.json
@@ -0,0 +1,7 @@
+{
+    "type": "state-change",
+    "id": "state-change--5e51b49b-6c9b-4e5a-8bc4-82e0a5b5c5c2",
+    "state_change_type": "escalation",
+    "initial_ref": "incident--d1e4f6c7-3b1a-4b5c-8a5a-9e7b8a9a5b6c",
+    "result_ref": "incident--c1f2d3e4-5b6c-7a8d-9e0a-1b2c3d4e5f6g"
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_3.6.json b/extension-definition-specifications/incident-core/examples/example_3.6.json
new file mode 100644
index 00000000000..49cea5494b7
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_3.6.json
@@ -0,0 +1,11 @@
+{
+    "task_ref": "task--4e1e2a5a-6b3c-4d5e-8f6a-9e7b8a9a5b6c",
+    "next_steps": [
+        {
+            "task_ref": "task--3e2a1f4b-5c6d-7e8f-9a0b-1c2d3e4f5g6h",
+            "condition_type": "required",
+            "transition_type": "success"
+        }
+    ],
+    "sequence_start": true
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_3.7.json b/extension-definition-specifications/incident-core/examples/example_3.7.json
new file mode 100644
index 00000000000..deee4d9d515
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_3.7.json
@@ -0,0 +1,5 @@
+{
+    "condition_type": "required",
+    "task_ref": "task--3e2a1f4b-5c6d-7e8f-9a0b-1c2d3e4f5g6h",
+    "transition_type": "success"
+}
\ No newline at end of file

From eacd6df478e477ddd5754efde50ee4f2590eec66 Mon Sep 17 00:00:00 2001
From: Ali Zaini <azaini@mitre.org>
Date: Tue, 28 Nov 2023 14:36:39 -0500
Subject: [PATCH 02/10] add examples to adoc

---
 .../Incident Extension Suite.adoc             | 71 +++++++++++++++++++
 1 file changed, 71 insertions(+)

diff --git a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc
index 2cbcaee6370..4be6903f460 100644
--- a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
+++ b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
@@ -97,6 +97,13 @@ The Incident object should have sufficient properties to represent the current s
 
 The properties and additional types within the Incident Core Extension are defined below. As this is an extension of a top-level object, fields such as identifier are not present.  This extension *MUST* use [stixliteral]#extension-definition--ef765651-680c-498d-9894-99799f2fa126# as its extension ID.
 
+*2.1 Example*
+
+[source,json]
+----
+include::examples/example_2.1.json[]
+----
+
 <<<
 
 [width="100%",cols="37%,23%,40%",options="header"]
@@ -246,6 +253,14 @@ This can be used to supplement the created_by_ref in cases where external author
 === 2.2. Event
 
 This new sdo extension *MUST* use [stixliteral]#extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e# as its extension ID.
+
+*2.2 Example*
+
+[source,json]
+----
+include::examples/example_2.2.json[]
+----
+
 [width="100%",cols="100%",stripes=odd]
 |===
 ^|[stixtr]*Required Common Properties*
@@ -433,6 +448,13 @@ For example, a dropper running allowed a ransomware tool to be downloaded and ru
 === 2.3. Impact
 This new sdo extension *MUST* use [stixliteral]#extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9# as its extension ID.
 
+*2.3 Example*
+
+[source,json]
+----
+include::examples/example_2.3.json[]
+----
+
 [width="100%",cols="100%",stripes=odd]
 |===
 ^|[stixtr]*Required Common Properties*
@@ -777,6 +799,13 @@ The value of this property *MUST* come from the [stixtype]#<<traceability-enum,t
 [[task]]
 === 2.4. Task
 
+*2.4 Example*
+
+[source,json]
+----
+include::examples/example_2.4.json[]
+----
+
 [width="100%",cols="100%",stripes=odd]
 |===
 ^|[stixtr]*Required Common Properties*
@@ -1043,6 +1072,13 @@ _0 individuals_
 [[event-entry]]
 === 3.2. Event Entry Object Type
 
+*3.2 Example*
+
+[source,json]
+----
+include::examples/example_3.2.json[]
+----
+
 *Type Name:* [stixtype]#event-entry#
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -1077,6 +1113,13 @@ Default value is [stixliteral]#true#.
 Event sequence entries store references to subsequent steps for an event entry.
 As these are always stored in an array of steps within an array of event entries validation rules for *event_ref* *MUST* be performed against the entire array of event entries.
 
+*3.3 Example*
+
+[source,json]
+----
+include::examples/example_3.3.json[]
+----
+
 *Type Name:* [stixtype]#event-sequence-entry#
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -1112,6 +1155,13 @@ The values of this property *MUST* come from the [stixtype]#<<activity-transitio
 [[incident-score]]
 === 3.4. Incident Score Object Type
 
+*3.4 Example*
+
+[source,json]
+----
+include::examples/example_3.4.json[]
+----
+
 *Type Name:* [stixtype]#incident-score#
 [width="100%",cols="37%,23%,40%",options="header",]
 |===
@@ -1137,6 +1187,13 @@ The values of this property *MUST* come from the [stixtype]#<<activity-transitio
 [[state-change]]
 === 3.5. State Change Object Type
 
+*3.5 Example*
+
+[source,json]
+----
+include::examples/example_3.5.json[]
+----
+
 *Type Name:* [stixtype]#state-change#
 
 The *initial_ref* or *result_ref* *MUST* be populated.
@@ -1183,6 +1240,13 @@ If the *initial_ref* is populated this *MUST* reference the same type of SDO.
 [[task-entry]]
 === 3.6. Task Entry Object Type
 
+*3.6 Example*
+
+[source,json]
+----
+include::examples/example_3.6.json[]
+----
+
 *Type Name:* [stixtype]#task-entry#
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -1217,6 +1281,13 @@ Default value is [stixliteral]#true#.
 Task sequence entries store references to subsequent steps for a task entry.
 As these are always stored in an array of steps within an array of task entries validation rules for *task_ref* *MUST* be performed against the entire array of task entries.
 
+*3.7 Example*
+
+[source,json]
+----
+include::examples/example_3.7.json[]
+----
+
 *Type Name:* [stixtype]#task-sequence-entry#
 
 [width="100%",cols="37%,23%,40%",options="header",]

From 0922f6dd76f7b98e25eceee1b30dd81fb2d70b90 Mon Sep 17 00:00:00 2001
From: Ali Zaini <azaini@mitre.org>
Date: Wed, 29 Nov 2023 10:54:40 -0500
Subject: [PATCH 03/10] add section extensions

---
 .../Incident Extension Suite.adoc             | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc
index 4be6903f460..1fc50ec45fb 100644
--- a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
+++ b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
@@ -97,7 +97,7 @@ The Incident object should have sufficient properties to represent the current s
 
 The properties and additional types within the Incident Core Extension are defined below. As this is an extension of a top-level object, fields such as identifier are not present.  This extension *MUST* use [stixliteral]#extension-definition--ef765651-680c-498d-9894-99799f2fa126# as its extension ID.
 
-*2.1 Example*
+*2.1.1 Example*
 
 [source,json]
 ----
@@ -254,7 +254,7 @@ This can be used to supplement the created_by_ref in cases where external author
 
 This new sdo extension *MUST* use [stixliteral]#extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e# as its extension ID.
 
-*2.2 Example*
+*2.2.1 Example*
 
 [source,json]
 ----
@@ -448,7 +448,7 @@ For example, a dropper running allowed a ransomware tool to be downloaded and ru
 === 2.3. Impact
 This new sdo extension *MUST* use [stixliteral]#extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9# as its extension ID.
 
-*2.3 Example*
+*2.3.1 Example*
 
 [source,json]
 ----
@@ -799,7 +799,7 @@ The value of this property *MUST* come from the [stixtype]#<<traceability-enum,t
 [[task]]
 === 2.4. Task
 
-*2.4 Example*
+*2.4.1 Example*
 
 [source,json]
 ----
@@ -1072,7 +1072,7 @@ _0 individuals_
 [[event-entry]]
 === 3.2. Event Entry Object Type
 
-*3.2 Example*
+*3.2.1 Example*
 
 [source,json]
 ----
@@ -1113,7 +1113,7 @@ Default value is [stixliteral]#true#.
 Event sequence entries store references to subsequent steps for an event entry.
 As these are always stored in an array of steps within an array of event entries validation rules for *event_ref* *MUST* be performed against the entire array of event entries.
 
-*3.3 Example*
+*3.3.1 Example*
 
 [source,json]
 ----
@@ -1153,9 +1153,9 @@ The values of this property *MUST* come from the [stixtype]#<<activity-transitio
 <<<
 
 [[incident-score]]
-=== 3.4. Incident Score Object Type
+=== 3.4 Incident Score Object Type
 
-*3.4 Example*
+*3.4.1 Example*
 
 [source,json]
 ----
@@ -1187,7 +1187,7 @@ include::examples/example_3.4.json[]
 [[state-change]]
 === 3.5. State Change Object Type
 
-*3.5 Example*
+*3.5.1 Example*
 
 [source,json]
 ----
@@ -1240,7 +1240,7 @@ If the *initial_ref* is populated this *MUST* reference the same type of SDO.
 [[task-entry]]
 === 3.6. Task Entry Object Type
 
-*3.6 Example*
+*3.6.1 Example*
 
 [source,json]
 ----
@@ -1281,7 +1281,7 @@ Default value is [stixliteral]#true#.
 Task sequence entries store references to subsequent steps for a task entry.
 As these are always stored in an array of steps within an array of task entries validation rules for *task_ref* *MUST* be performed against the entire array of task entries.
 
-*3.7 Example*
+*3.7.1 Example*
 
 [source,json]
 ----

From 937bab652d756cfecdcd32effc992646ddb508b3 Mon Sep 17 00:00:00 2001
From: Ali Zaini <azaini@mitre.org>
Date: Wed, 29 Nov 2023 15:25:44 -0500
Subject: [PATCH 04/10] created 3.2.x examples and corrected doc numbering

---
 .../Incident Extension Suite.adoc             | 80 +++++++++++++++----
 ...xample_2.3.json => example_2.3.2.1.1.json} | 11 ++-
 .../examples/example_2.3.2.2.1.json           | 16 ++++
 .../examples/example_2.3.2.3.1.json           | 14 ++++
 .../examples/example_2.3.2.4.1.json           | 16 ++++
 .../examples/example_2.3.2.5.1.json           | 17 ++++
 .../examples/example_2.3.2.6.1.json           | 15 ++++
 .../examples/example_2.3.2.7.1.json           | 14 ++++
 8 files changed, 163 insertions(+), 20 deletions(-)
 rename extension-definition-specifications/incident-core/examples/{example_2.3.json => example_2.3.2.1.1.json} (57%)
 create mode 100644 extension-definition-specifications/incident-core/examples/example_2.3.2.2.1.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_2.3.2.3.1.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_2.3.2.4.1.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_2.3.2.5.1.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_2.3.2.6.1.json
 create mode 100644 extension-definition-specifications/incident-core/examples/example_2.3.2.7.1.json

diff --git a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc
index 1fc50ec45fb..ccf642ecd86 100644
--- a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
+++ b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
@@ -254,12 +254,6 @@ This can be used to supplement the created_by_ref in cases where external author
 
 This new sdo extension *MUST* use [stixliteral]#extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e# as its extension ID.
 
-*2.2.1 Example*
-
-[source,json]
-----
-include::examples/example_2.2.json[]
-----
 
 [width="100%",cols="100%",stripes=odd]
 |===
@@ -443,17 +437,18 @@ For example, a dropper running allowed a ransomware tool to be downloaded and ru
 
 // end::event-relationships[]
 
+*2.2.2 Example*
+
+[source,json]
+----
+include::examples/example_2.2.json[]
+----
+
 <<<
 [[impact]]
 === 2.3. Impact
 This new sdo extension *MUST* use [stixliteral]#extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9# as its extension ID.
 
-*2.3.1 Example*
-
-[source,json]
-----
-include::examples/example_2.3.json[]
-----
 
 [width="100%",cols="100%",stripes=odd]
 |===
@@ -602,6 +597,13 @@ This value *MUST* be between 0 to 100. This can be translated into qualitative v
 
 |===
 
+*2.3.2.1.1 Availability Impact Example*
+
+[source,json]
+----
+include::examples/example_2.3.2.1.1.json[]
+----
+
 <<<
 
 ===== 2.3.2.2. Confidentiality Impact Extension
@@ -635,6 +637,13 @@ The values of this property *MUST* come from the [stixtype]#<<incident-confident
 |The amount of data that was compromised in bytes. The value of this property *MUST NOT* be negative.
 |===
 
+*2.3.2.2.1 Confidentiality Impact Example*
+
+[source,json]
+----
+include::examples/example_2.3.2.2.1.json[]
+----
+
 ===== 2.3.2.3. External Impact Extension
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -652,6 +661,13 @@ The value of this property *SHOULD* come from the [stixtype]#<<external-impact-o
 
 <<<
 
+*2.3.2.3.1 External Impact Example*
+
+[source,json]
+----
+include::examples/example_2.3.2.2.1.json[]
+----
+
 ===== 2.3.2.4. Integrity Impact Extension
 
 *Type Name:* [stixtype]#integrity-impact#
@@ -690,6 +706,13 @@ Including an entry that with an alteration of none and no information_type indic
 
 <<<
 
+*2.3.2.4.1 Integrity Impact Example*
+
+[source,json]
+----
+include::examples/example_2.3.2.4.1.json[]
+----
+
 ===== 2.3.2.5. Monetary Impact Extension
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -753,6 +776,13 @@ This value *MUST* be included if the *max_amount* property is included.
 
 <<<
 
+*2.3.2.5.1 Monetary Impact Example*
+
+[source,json]
+----
+include::examples/example_2.3.2.5.1.json[]
+----
+
 ===== 2.3.2.6. Physical Impact Extension
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -779,6 +809,13 @@ Including an entry with an *impact_type* of none and no asset_type indicates tha
 
 |===
 
+*2.3.2.6.1 Physical Impact Example*
+
+[source,json]
+----
+include::examples/example_2.3.2.6.1.json[]
+----
+
 ===== 2.3.2.7. Traceability Impact Extension
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -795,16 +832,18 @@ The value of this property *MUST* come from the [stixtype]#<<traceability-enum,t
 
 |===
 
+*2.3.2.7.1 Traceability Impact Example*
+
+[source,json]
+----
+include::examples/example_2.3.2.7.1.json[]
+----
+
 <<<
 [[task]]
 === 2.4. Task
 
-*2.4.1 Example*
 
-[source,json]
-----
-include::examples/example_2.4.json[]
-----
 
 [width="100%",cols="100%",stripes=odd]
 |===
@@ -1022,6 +1061,13 @@ Using these embedded relationships ensure that an incomplete sequence cannot be
 
 // end::task-relationships[]
 
+*2.4.2 Example*
+
+[source,json]
+----
+include::examples/example_2.4.json[]
+----
+
 <<<
 
 == 3. Additional Sub-Objects Types
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.1.1.json
similarity index 57%
rename from extension-definition-specifications/incident-core/examples/example_2.3.json
rename to extension-definition-specifications/incident-core/examples/example_2.3.2.1.1.json
index 8d0b18dc378..b2607a2a519 100644
--- a/extension-definition-specifications/incident-core/examples/example_2.3.json
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.1.1.json
@@ -1,6 +1,6 @@
 {
     "type": "impact",
-    "id": "impact--f3e1a6f3-1a95-457a-84a7-887c2d9e5e7c",
+    "id": "impact--de425325-5ac8-4f4b-ace7-054301b80863",
     "impact_category": "availability",
     "criticality": 70,
     "description": "Loss of availability for a critical service.",
@@ -10,8 +10,13 @@
         "system": 1
     },
     "impacted_refs": [
-        "infrastructure--a1b2c3d4-5e6f-7a8d-9e0a-1b2c3d4e5f6g"
+        "infrastructure--11c25d0e-48f5-4491-960a-0da71c4e0d16"
     ],
     "start_time": "2023-11-22T15:30:00Z",
-    "start_time_fidelity": "minute"
+    "start_time_fidelity": "minute",
+    "extensions": {
+        "availability-impact": {
+            "availability_impact": 90
+        }
+    }
 }
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.2.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.2.1.json
new file mode 100644
index 00000000000..4777993f67a
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.2.1.json
@@ -0,0 +1,16 @@
+{
+    "type": "impact",
+    "id": "impact--c08d9e5a-ba7e-465c-96d5-659683aa9395",
+    "impact_category": "confidentiality",
+    "criticality": 80,
+    "description": "Confidential customer data was leaked.",
+    "start_time": "2023-11-22T15:30:00Z",
+    "start_time_fidelity": "minute",
+    "extensions": {
+        "confidentiality-impact": {
+            "information_type": "customer-data",
+            "loss_type": "unauthorized-disclosure",
+            "record_count": 1000
+        }
+    }
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.3.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.3.1.json
new file mode 100644
index 00000000000..8ba014a28eb
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.3.1.json
@@ -0,0 +1,14 @@
+{
+    "type": "impact",
+    "id": "impact--765719be-0e65-4c40-8024-a7295c90da35",
+    "impact_category": "external",
+    "criticality": 60,
+    "description": "Negative impact on the company's reputation.",
+    "start_time": "2023-11-22T15:30:00Z",
+    "start_time_fidelity": "minute",
+    "extensions": {
+        "external-impact": {
+            "impact_type": "reputation"
+        }
+    }
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.4.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.4.1.json
new file mode 100644
index 00000000000..f8745e1bc1e
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.4.1.json
@@ -0,0 +1,16 @@
+{
+    "type": "impact",
+    "id": "impact--72047fc7-1b34-4cc2-aea7-61b90cdb832d",
+    "impact_category": "integrity",
+    "criticality": 75,
+    "description": "Unauthorized modification of financial records.",
+    "start_time": "2023-11-22T15:30:00Z",
+    "start_time_fidelity": "minute",
+    "extensions": {
+        "integrity-impact": {
+            "alteration": "unauthorized-modification",
+            "information_type": "financial-records",
+            "record_count": 500
+        }
+    }
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.5.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.5.1.json
new file mode 100644
index 00000000000..ed079adfd19
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.5.1.json
@@ -0,0 +1,17 @@
+{
+    "type": "impact",
+    "id": "impact--562c7b03-3c27-4adf-8580-57ecce6687c8",
+    "impact_category": "monetary",
+    "criticality": 85,
+    "description": "Financial loss due to a ransomware attack.",
+    "start_time": "2023-11-22T15:30:00Z",
+    "start_time_fidelity": "minute",
+    "extensions": {
+        "monetary-impact": {
+            "variety": "ransom",
+            "currency": "USD",
+            "min_amount": 10000,
+            "max_amount": 15000
+        }
+    }
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.6.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.6.1.json
new file mode 100644
index 00000000000..a1507d9af63
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.6.1.json
@@ -0,0 +1,15 @@
+{
+    "type": "impact",
+    "id": "impact--738492bd-288b-48c9-ad2a-83230d2dee86",
+    "impact_category": "physical",
+    "criticality": 95,
+    "description": "Physical damage to a power plant.",
+    "start_time": "2023-11-22T15:30:00Z",
+    "start_time_fidelity": "minute",
+    "extensions": {
+        "physical-impact": {
+            "impact_type": "destruction",
+            "asset_type": "power-plant"
+        }
+    }
+}
\ No newline at end of file
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.7.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.7.1.json
new file mode 100644
index 00000000000..5e932d5f466
--- /dev/null
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.7.1.json
@@ -0,0 +1,14 @@
+{
+    "type": "impact",
+    "id": "impact--ef58b184-e4b8-4f1f-9ac3-f22aff3f9459",
+    "impact_category": "traceability",
+    "criticality": 65,
+    "description": "Loss of audit logs due to a cyber attack.",
+    "start_time": "2023-11-22T15:30:00Z",
+    "start_time_fidelity": "minute",
+    "extensions": {
+        "traceability-impact": {
+            "traceability_impact": "partial"
+        }
+    }
+}
\ No newline at end of file

From 351df477d89429e02af1957635f1dda8d1d5a723 Mon Sep 17 00:00:00 2001
From: Ali Zaini <azaini@mitre.org>
Date: Mon, 4 Dec 2023 09:54:52 -0500
Subject: [PATCH 05/10] fix header format

---
 .../Incident Extension Suite.adoc             | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc
index ccf642ecd86..554232ef064 100644
--- a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
+++ b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
@@ -97,7 +97,7 @@ The Incident object should have sufficient properties to represent the current s
 
 The properties and additional types within the Incident Core Extension are defined below. As this is an extension of a top-level object, fields such as identifier are not present.  This extension *MUST* use [stixliteral]#extension-definition--ef765651-680c-498d-9894-99799f2fa126# as its extension ID.
 
-*2.1.1 Example*
+==== 2.1.1 Example
 
 [source,json]
 ----
@@ -437,7 +437,7 @@ For example, a dropper running allowed a ransomware tool to be downloaded and ru
 
 // end::event-relationships[]
 
-*2.2.2 Example*
+==== 2.2.2 Example
 
 [source,json]
 ----
@@ -597,7 +597,7 @@ This value *MUST* be between 0 to 100. This can be translated into qualitative v
 
 |===
 
-*2.3.2.1.1 Availability Impact Example*
+===== 2.3.2.1.1 Availability Impact Example
 
 [source,json]
 ----
@@ -637,7 +637,7 @@ The values of this property *MUST* come from the [stixtype]#<<incident-confident
 |The amount of data that was compromised in bytes. The value of this property *MUST NOT* be negative.
 |===
 
-*2.3.2.2.1 Confidentiality Impact Example*
+===== 2.3.2.2.1 Confidentiality Impact Example
 
 [source,json]
 ----
@@ -661,7 +661,7 @@ The value of this property *SHOULD* come from the [stixtype]#<<external-impact-o
 
 <<<
 
-*2.3.2.3.1 External Impact Example*
+===== 2.3.2.3.1 External Impact Example
 
 [source,json]
 ----
@@ -706,7 +706,7 @@ Including an entry that with an alteration of none and no information_type indic
 
 <<<
 
-*2.3.2.4.1 Integrity Impact Example*
+===== 2.3.2.4.1 Integrity Impact Example
 
 [source,json]
 ----
@@ -776,7 +776,7 @@ This value *MUST* be included if the *max_amount* property is included.
 
 <<<
 
-*2.3.2.5.1 Monetary Impact Example*
+===== 2.3.2.5.1 Monetary Impact Example
 
 [source,json]
 ----
@@ -809,7 +809,7 @@ Including an entry with an *impact_type* of none and no asset_type indicates tha
 
 |===
 
-*2.3.2.6.1 Physical Impact Example*
+===== 2.3.2.6.1 Physical Impact Example
 
 [source,json]
 ----
@@ -832,7 +832,7 @@ The value of this property *MUST* come from the [stixtype]#<<traceability-enum,t
 
 |===
 
-*2.3.2.7.1 Traceability Impact Example*
+===== 2.3.2.7.1 Traceability Impact Example
 
 [source,json]
 ----
@@ -1061,7 +1061,7 @@ Using these embedded relationships ensure that an incomplete sequence cannot be
 
 // end::task-relationships[]
 
-*2.4.2 Example*
+==== 2.4.2 Example
 
 [source,json]
 ----
@@ -1118,7 +1118,7 @@ _0 individuals_
 [[event-entry]]
 === 3.2. Event Entry Object Type
 
-*3.2.1 Example*
+==== 3.2.1 Example
 
 [source,json]
 ----
@@ -1159,7 +1159,7 @@ Default value is [stixliteral]#true#.
 Event sequence entries store references to subsequent steps for an event entry.
 As these are always stored in an array of steps within an array of event entries validation rules for *event_ref* *MUST* be performed against the entire array of event entries.
 
-*3.3.1 Example*
+==== 3.3.1 Example
 
 [source,json]
 ----
@@ -1201,7 +1201,7 @@ The values of this property *MUST* come from the [stixtype]#<<activity-transitio
 [[incident-score]]
 === 3.4 Incident Score Object Type
 
-*3.4.1 Example*
+==== 3.4.1 Example
 
 [source,json]
 ----
@@ -1233,7 +1233,7 @@ include::examples/example_3.4.json[]
 [[state-change]]
 === 3.5. State Change Object Type
 
-*3.5.1 Example*
+==== 3.5.1 Example
 
 [source,json]
 ----
@@ -1286,7 +1286,7 @@ If the *initial_ref* is populated this *MUST* reference the same type of SDO.
 [[task-entry]]
 === 3.6. Task Entry Object Type
 
-*3.6.1 Example*
+==== 3.6.1 Example
 
 [source,json]
 ----
@@ -1327,7 +1327,7 @@ Default value is [stixliteral]#true#.
 Task sequence entries store references to subsequent steps for a task entry.
 As these are always stored in an array of steps within an array of task entries validation rules for *task_ref* *MUST* be performed against the entire array of task entries.
 
-*3.7.1 Example*
+==== 3.7.1 Example
 
 [source,json]
 ----

From fcddbd7986644ac0e0fb8e5c767ea9a3d011f629 Mon Sep 17 00:00:00 2001
From: Ali Zaini <azaini@mitre.org>
Date: Mon, 4 Dec 2023 10:07:11 -0500
Subject: [PATCH 06/10] fix order of examples to be after property

---
 .../Incident Extension Suite.adoc             | 78 +++++++++----------
 1 file changed, 38 insertions(+), 40 deletions(-)

diff --git a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc
index 554232ef064..b28b6c3e3df 100644
--- a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
+++ b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
@@ -1118,13 +1118,6 @@ _0 individuals_
 [[event-entry]]
 === 3.2. Event Entry Object Type
 
-==== 3.2.1 Example
-
-[source,json]
-----
-include::examples/example_3.2.json[]
-----
-
 *Type Name:* [stixtype]#event-entry#
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -1153,18 +1146,19 @@ Default value is [stixliteral]#true#.
 
 |===
 
+==== 3.2.1 Example
+
+[source,json]
+----
+include::examples/example_3.2.json[]
+----
+
 [[event-sequence-entry]]
 === 3.3. Event Sequence Object Type
 
 Event sequence entries store references to subsequent steps for an event entry.
 As these are always stored in an array of steps within an array of event entries validation rules for *event_ref* *MUST* be performed against the entire array of event entries.
 
-==== 3.3.1 Example
-
-[source,json]
-----
-include::examples/example_3.3.json[]
-----
 
 *Type Name:* [stixtype]#event-sequence-entry#
 
@@ -1196,18 +1190,18 @@ The values of this property *MUST* come from the [stixtype]#<<activity-transitio
 
 |===
 
-<<<
-
-[[incident-score]]
-=== 3.4 Incident Score Object Type
-
-==== 3.4.1 Example
+==== 3.3.1 Example
 
 [source,json]
 ----
-include::examples/example_3.4.json[]
+include::examples/example_3.3.json[]
 ----
 
+<<<
+
+[[incident-score]]
+=== 3.4 Incident Score Object Type
+
 *Type Name:* [stixtype]#incident-score#
 [width="100%",cols="37%,23%,40%",options="header",]
 |===
@@ -1229,17 +1223,16 @@ include::examples/example_3.4.json[]
 |===
 
 <<<
-
-[[state-change]]
-=== 3.5. State Change Object Type
-
-==== 3.5.1 Example
+==== 3.4.1 Example
 
 [source,json]
 ----
-include::examples/example_3.5.json[]
+include::examples/example_3.4.json[]
 ----
 
+[[state-change]]
+=== 3.5. State Change Object Type
+
 *Type Name:* [stixtype]#state-change#
 
 The *initial_ref* or *result_ref* *MUST* be populated.
@@ -1280,19 +1273,18 @@ For example, an event causing a network outage.
 If the *initial_ref* is populated this *MUST* reference the same type of SDO.
 
 |===
+==== 3.5.1 Example
+
+[source,json]
+----
+include::examples/example_3.5.json[]
+----
 
 <<<
 
 [[task-entry]]
 === 3.6. Task Entry Object Type
 
-==== 3.6.1 Example
-
-[source,json]
-----
-include::examples/example_3.6.json[]
-----
-
 *Type Name:* [stixtype]#task-entry#
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -1321,19 +1313,19 @@ Default value is [stixliteral]#true#.
 
 |===
 
+==== 3.6.1 Example
+
+[source,json]
+----
+include::examples/example_3.6.json[]
+----
+
 [[task-sequence-entry]]
 === 3.7. Task Sequence Object Type
 
 Task sequence entries store references to subsequent steps for a task entry.
 As these are always stored in an array of steps within an array of task entries validation rules for *task_ref* *MUST* be performed against the entire array of task entries.
 
-==== 3.7.1 Example
-
-[source,json]
-----
-include::examples/example_3.7.json[]
-----
-
 *Type Name:* [stixtype]#task-sequence-entry#
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -1364,6 +1356,12 @@ The values of this property *MUST* come from the [stixtype]#<<activity-transitio
 
 |===
 
+==== 3.7.1 Example
+
+[source,json]
+----
+include::examples/example_3.7.json[]
+----
 <<<
 
 == 4. Vocabularies

From 341853f1d893915d54824ef09c2edc75fbc78f38 Mon Sep 17 00:00:00 2001
From: Ali Zaini <azaini@mitre.org>
Date: Mon, 4 Dec 2023 10:07:39 -0500
Subject: [PATCH 07/10] fix external impact example

---
 .../incident-core/Incident Extension Suite.adoc                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc
index b28b6c3e3df..794dee7229c 100644
--- a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
+++ b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
@@ -665,7 +665,7 @@ The value of this property *SHOULD* come from the [stixtype]#<<external-impact-o
 
 [source,json]
 ----
-include::examples/example_2.3.2.2.1.json[]
+include::examples/example_2.3.2.3.1.json[]
 ----
 
 ===== 2.3.2.4. Integrity Impact Extension

From 9e99c28cbd797ef0add2511dd9f45ec7f0fc3b51 Mon Sep 17 00:00:00 2001
From: Ali Zaini <azaini@mitre.org>
Date: Mon, 4 Dec 2023 10:16:50 -0500
Subject: [PATCH 08/10] correct examples by fixing common properties

---
 .../incident-core/examples/example_2.1.json                  | 5 +++++
 .../incident-core/examples/example_2.2.json                  | 3 +++
 .../incident-core/examples/example_2.3.2.1.1.json            | 3 +++
 .../incident-core/examples/example_2.4.json                  | 3 +++
 .../incident-core/examples/example_3.4.json                  | 2 --
 .../incident-core/examples/example_3.5.json                  | 2 --
 6 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/extension-definition-specifications/incident-core/examples/example_2.1.json b/extension-definition-specifications/incident-core/examples/example_2.1.json
index 30872612eca..e5d1eceb8ea 100644
--- a/extension-definition-specifications/incident-core/examples/example_2.1.json
+++ b/extension-definition-specifications/incident-core/examples/example_2.1.json
@@ -1,4 +1,9 @@
 {
+    "type": "incident",
+    "id": "incident--b0e7e6a5-6e2c-4a0b-8d5a-8a5e92a5a5bc",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
     "determination": "confirmed",
     "extension_type": "property-extension",
     "investigation_status": "open",
diff --git a/extension-definition-specifications/incident-core/examples/example_2.2.json b/extension-definition-specifications/incident-core/examples/example_2.2.json
index 7b62353dee6..bd2cea772ba 100644
--- a/extension-definition-specifications/incident-core/examples/example_2.2.json
+++ b/extension-definition-specifications/incident-core/examples/example_2.2.json
@@ -1,6 +1,9 @@
 {
     "type": "event",
     "id": "event--68e1e976-7e3b-4233-8bde-1a5dbb17a9a6",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
     "status": "ongoing",
     "changed_objects": [
         {
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.1.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.1.1.json
index b2607a2a519..c8929aa2b65 100644
--- a/extension-definition-specifications/incident-core/examples/example_2.3.2.1.1.json
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.1.1.json
@@ -1,6 +1,9 @@
 {
     "type": "impact",
     "id": "impact--de425325-5ac8-4f4b-ace7-054301b80863",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
     "impact_category": "availability",
     "criticality": 70,
     "description": "Loss of availability for a critical service.",
diff --git a/extension-definition-specifications/incident-core/examples/example_2.4.json b/extension-definition-specifications/incident-core/examples/example_2.4.json
index 16174b18378..a8847a39bed 100644
--- a/extension-definition-specifications/incident-core/examples/example_2.4.json
+++ b/extension-definition-specifications/incident-core/examples/example_2.4.json
@@ -1,6 +1,9 @@
 {
     "type": "task",
     "id": "task--4e1e2a5a-6b3c-4d5e-8f6a-9e7b8a9a5b6c",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
     "outcome": "successful",
     "changed_objects": [
         {
diff --git a/extension-definition-specifications/incident-core/examples/example_3.4.json b/extension-definition-specifications/incident-core/examples/example_3.4.json
index ac18775b665..8c405fb60ce 100644
--- a/extension-definition-specifications/incident-core/examples/example_3.4.json
+++ b/extension-definition-specifications/incident-core/examples/example_3.4.json
@@ -1,6 +1,4 @@
 {
-    "type": "incident-score",
-    "id": "incident-score--b0e7e6a5-6e2c-4a0b-8d5a-8a5e92a5a5bc",
     "name": "ExampleSystem Automated Exposure Score",
     "value": 75.5,
     "description": "The score is calculated based on the severity of the incident and the potential impact on the organization."
diff --git a/extension-definition-specifications/incident-core/examples/example_3.5.json b/extension-definition-specifications/incident-core/examples/example_3.5.json
index d44405a40e5..7a4b5799baa 100644
--- a/extension-definition-specifications/incident-core/examples/example_3.5.json
+++ b/extension-definition-specifications/incident-core/examples/example_3.5.json
@@ -1,6 +1,4 @@
 {
-    "type": "state-change",
-    "id": "state-change--5e51b49b-6c9b-4e5a-8bc4-82e0a5b5c5c2",
     "state_change_type": "escalation",
     "initial_ref": "incident--d1e4f6c7-3b1a-4b5c-8a5a-9e7b8a9a5b6c",
     "result_ref": "incident--c1f2d3e4-5b6c-7a8d-9e0a-1b2c3d4e5f6g"

From 345dccaf9ebaa0aeb28c63e54c05e995972d43ec Mon Sep 17 00:00:00 2001
From: Ali Zaini <azaini@mitre.org>
Date: Mon, 4 Dec 2023 12:36:06 -0500
Subject: [PATCH 09/10] moved example after properties and relationship

---
 .../incident-core/Incident Extension Suite.adoc    | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc
index 794dee7229c..3a16877f2b9 100644
--- a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
+++ b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc	
@@ -97,13 +97,6 @@ The Incident object should have sufficient properties to represent the current s
 
 The properties and additional types within the Incident Core Extension are defined below. As this is an extension of a top-level object, fields such as identifier are not present.  This extension *MUST* use [stixliteral]#extension-definition--ef765651-680c-498d-9894-99799f2fa126# as its extension ID.
 
-==== 2.1.1 Example
-
-[source,json]
-----
-include::examples/example_2.1.json[]
-----
-
 <<<
 
 [width="100%",cols="37%,23%,40%",options="header"]
@@ -248,6 +241,13 @@ This can be used to supplement the created_by_ref in cases where external author
 |===
 // end::incident-relationships[]
 
+==== 2.1.1 Example
+
+[source,json]
+----
+include::examples/example_2.1.json[]
+----
+
 <<<
 [[event]]
 === 2.2. Event

From c9d8f1ff9bba330a93dd757d96191edf10e310ea Mon Sep 17 00:00:00 2001
From: Ali Zaini <azaini@mitre.org>
Date: Mon, 4 Dec 2023 12:37:11 -0500
Subject: [PATCH 10/10] add common properties to examples

---
 .../incident-core/examples/example_2.3.2.2.1.json              | 3 +++
 .../incident-core/examples/example_2.3.2.3.1.json              | 3 +++
 .../incident-core/examples/example_2.3.2.4.1.json              | 3 +++
 .../incident-core/examples/example_2.3.2.5.1.json              | 3 +++
 .../incident-core/examples/example_2.3.2.6.1.json              | 3 +++
 .../incident-core/examples/example_2.3.2.7.1.json              | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.2.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.2.1.json
index 4777993f67a..d38b8a3e2f0 100644
--- a/extension-definition-specifications/incident-core/examples/example_2.3.2.2.1.json
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.2.1.json
@@ -1,6 +1,9 @@
 {
     "type": "impact",
     "id": "impact--c08d9e5a-ba7e-465c-96d5-659683aa9395",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
     "impact_category": "confidentiality",
     "criticality": 80,
     "description": "Confidential customer data was leaked.",
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.3.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.3.1.json
index 8ba014a28eb..a88249f0367 100644
--- a/extension-definition-specifications/incident-core/examples/example_2.3.2.3.1.json
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.3.1.json
@@ -1,6 +1,9 @@
 {
     "type": "impact",
     "id": "impact--765719be-0e65-4c40-8024-a7295c90da35",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
     "impact_category": "external",
     "criticality": 60,
     "description": "Negative impact on the company's reputation.",
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.4.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.4.1.json
index f8745e1bc1e..3157aa392bc 100644
--- a/extension-definition-specifications/incident-core/examples/example_2.3.2.4.1.json
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.4.1.json
@@ -1,6 +1,9 @@
 {
     "type": "impact",
     "id": "impact--72047fc7-1b34-4cc2-aea7-61b90cdb832d",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
     "impact_category": "integrity",
     "criticality": 75,
     "description": "Unauthorized modification of financial records.",
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.5.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.5.1.json
index ed079adfd19..554ad08c603 100644
--- a/extension-definition-specifications/incident-core/examples/example_2.3.2.5.1.json
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.5.1.json
@@ -1,6 +1,9 @@
 {
     "type": "impact",
     "id": "impact--562c7b03-3c27-4adf-8580-57ecce6687c8",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
     "impact_category": "monetary",
     "criticality": 85,
     "description": "Financial loss due to a ransomware attack.",
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.6.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.6.1.json
index a1507d9af63..5b9591674fd 100644
--- a/extension-definition-specifications/incident-core/examples/example_2.3.2.6.1.json
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.6.1.json
@@ -1,6 +1,9 @@
 {
     "type": "impact",
     "id": "impact--738492bd-288b-48c9-ad2a-83230d2dee86",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
     "impact_category": "physical",
     "criticality": 95,
     "description": "Physical damage to a power plant.",
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.7.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.7.1.json
index 5e932d5f466..3331ff78f37 100644
--- a/extension-definition-specifications/incident-core/examples/example_2.3.2.7.1.json
+++ b/extension-definition-specifications/incident-core/examples/example_2.3.2.7.1.json
@@ -1,6 +1,9 @@
 {
     "type": "impact",
     "id": "impact--ef58b184-e4b8-4f1f-9ac3-f22aff3f9459",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
     "impact_category": "traceability",
     "criticality": 65,
     "description": "Loss of audit logs due to a cyber attack.",