diff --git a/doc/json/actor.json b/doc/json/actor.json index e114a345..5405495b 100644 --- a/doc/json/actor.json +++ b/doc/json/actor.json @@ -26,7 +26,7 @@ "motivation" : "Ego", "planning_and_operational_support" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "sophistication" : "Aspirant", "source" : "string", diff --git a/doc/json/asset.json b/doc/json/asset.json index 24c4b43b..ef49901f 100644 --- a/doc/json/asset.json +++ b/doc/json/asset.json @@ -12,7 +12,7 @@ "id" : "string", "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", diff --git a/doc/json/asset_mapping.json b/doc/json/asset_mapping.json index b520083e..72921e14 100644 --- a/doc/json/asset_mapping.json +++ b/doc/json/asset_mapping.json @@ -17,7 +17,7 @@ "value" : "1.2.3.4" }, "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "specificity" : "Low", diff --git a/doc/json/asset_properties.json b/doc/json/asset_properties.json index 64325d30..7a52a350 100644 --- a/doc/json/asset_properties.json +++ b/doc/json/asset_properties.json @@ -15,7 +15,7 @@ "value" : "string" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", diff --git a/doc/json/attack_pattern.json b/doc/json/attack_pattern.json index a2409d31..4d54e92d 100644 --- a/doc/json/attack_pattern.json +++ b/doc/json/attack_pattern.json @@ -16,7 +16,7 @@ } ], "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", diff --git a/doc/json/bundle.json b/doc/json/bundle.json index 92ad4735..21254fcb 100644 --- a/doc/json/bundle.json +++ b/doc/json/bundle.json @@ -28,7 +28,7 @@ "motivation" : "Ego", "planning_and_operational_support" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "sophistication" : "Aspirant", "source" : "string", @@ -62,7 +62,7 @@ "value" : "1.2.3.4" }, "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "specificity" : "Low", @@ -92,7 +92,7 @@ "value" : "string" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", @@ -119,7 +119,7 @@ "id" : "string", "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -151,7 +151,7 @@ } ], "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -185,7 +185,7 @@ "language" : "string", "names" : [ "string" ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -259,7 +259,7 @@ "source" : "string" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -297,7 +297,7 @@ "revision" : 10, "row_count" : 10, "rows" : [ [ "anything" ] ], - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -335,7 +335,7 @@ "language" : "string", "reason" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", @@ -366,7 +366,7 @@ }, "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", @@ -384,6 +384,7 @@ "confidence" : "High", "description" : "string", "detection_sources" : [ "string" ], + "detection_status" : "active", "discovery_method" : "Agent Disclosure", "external_ids" : [ "string" ], "external_references" : [ { @@ -410,7 +411,7 @@ }, "promotion_method" : "Automated", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "scores" : { "asset" : 10.0 }, @@ -454,7 +455,7 @@ "negate" : true, "producer" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "severity" : "Critical", "short_description" : "string", "source" : "string", @@ -503,7 +504,7 @@ "reason" : "string", "reason_uri" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "severity" : "Critical", "source" : "string", "source_uri" : "string", @@ -536,7 +537,7 @@ "labels" : [ "adware" ], "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -566,7 +567,7 @@ "entity_type" : "string" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", @@ -588,7 +589,7 @@ "language" : "string", "relationship_type" : "attributed-to", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_ref" : "string", @@ -600,7 +601,7 @@ "type" : "relationship" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "sighting_refs" : [ "string" ], "sightings" : [ { @@ -880,7 +881,7 @@ } ], "resolution" : "detected", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "sensor" : "endpoint", "sensor_coordinates" : { "observables" : [ { @@ -927,7 +928,7 @@ "id" : "string", "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -973,7 +974,7 @@ "labels" : [ "credential-exploitation" ], "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -1114,7 +1115,7 @@ "last_modified_date" : "2016-01-01T01:01:01.000Z", "published_date" : "2016-01-01T01:01:01.000Z", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -1195,7 +1196,7 @@ "strategy" : "Attack Surface Reduction" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", diff --git a/doc/json/campaign.json b/doc/json/campaign.json index 64b0c2e9..fba6e1aa 100644 --- a/doc/json/campaign.json +++ b/doc/json/campaign.json @@ -19,7 +19,7 @@ "language" : "string", "names" : [ "string" ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", diff --git a/doc/json/casebook.json b/doc/json/casebook.json index 0af2dcfc..918caf55 100644 --- a/doc/json/casebook.json +++ b/doc/json/casebook.json @@ -29,7 +29,7 @@ "motivation" : "Ego", "planning_and_operational_support" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "sophistication" : "Aspirant", "source" : "string", @@ -63,7 +63,7 @@ "value" : "1.2.3.4" }, "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "specificity" : "Low", @@ -93,7 +93,7 @@ "value" : "string" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", @@ -120,7 +120,7 @@ "id" : "string", "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -152,7 +152,7 @@ } ], "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -186,7 +186,7 @@ "language" : "string", "names" : [ "string" ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -260,7 +260,7 @@ "source" : "string" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -298,7 +298,7 @@ "revision" : 10, "row_count" : 10, "rows" : [ [ "anything" ] ], - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -336,7 +336,7 @@ "language" : "string", "reason" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", @@ -367,7 +367,7 @@ }, "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", @@ -385,6 +385,7 @@ "confidence" : "High", "description" : "string", "detection_sources" : [ "string" ], + "detection_status" : "active", "discovery_method" : "Agent Disclosure", "external_ids" : [ "string" ], "external_references" : [ { @@ -411,7 +412,7 @@ }, "promotion_method" : "Automated", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "scores" : { "asset" : 10.0 }, @@ -455,7 +456,7 @@ "negate" : true, "producer" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "severity" : "Critical", "short_description" : "string", "source" : "string", @@ -504,7 +505,7 @@ "reason" : "string", "reason_uri" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "severity" : "Critical", "source" : "string", "source_uri" : "string", @@ -537,7 +538,7 @@ "labels" : [ "adware" ], "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -567,7 +568,7 @@ "entity_type" : "string" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", @@ -589,7 +590,7 @@ "language" : "string", "relationship_type" : "attributed-to", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_ref" : "string", @@ -601,7 +602,7 @@ "type" : "relationship" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "sighting_refs" : [ "string" ], "sightings" : [ { @@ -881,7 +882,7 @@ } ], "resolution" : "detected", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "sensor" : "endpoint", "sensor_coordinates" : { "observables" : [ { @@ -928,7 +929,7 @@ "id" : "string", "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -974,7 +975,7 @@ "labels" : [ "credential-exploitation" ], "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -1115,7 +1116,7 @@ "last_modified_date" : "2016-01-01T01:01:01.000Z", "published_date" : "2016-01-01T01:01:01.000Z", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -1196,7 +1197,7 @@ "strategy" : "Attack Surface Reduction" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", @@ -1227,7 +1228,7 @@ "value" : "1.2.3.4" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", diff --git a/doc/json/coa.json b/doc/json/coa.json index 60576f44..2485bd32 100644 --- a/doc/json/coa.json +++ b/doc/json/coa.json @@ -57,7 +57,7 @@ "source" : "string" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", diff --git a/doc/json/feedback.json b/doc/json/feedback.json index 91196999..8a7c4ed1 100644 --- a/doc/json/feedback.json +++ b/doc/json/feedback.json @@ -13,7 +13,7 @@ "language" : "string", "reason" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", diff --git a/doc/json/incident.json b/doc/json/incident.json index bb612fab..6bd4233e 100644 --- a/doc/json/incident.json +++ b/doc/json/incident.json @@ -4,6 +4,7 @@ "confidence" : "High", "description" : "string", "detection_sources" : [ "string" ], + "detection_status" : "active", "discovery_method" : "Agent Disclosure", "external_ids" : [ "string" ], "external_references" : [ { @@ -30,7 +31,7 @@ }, "promotion_method" : "Automated", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "scores" : { "asset" : 10.0 }, diff --git a/doc/json/indicator.json b/doc/json/indicator.json index da11626c..b217c777 100644 --- a/doc/json/indicator.json +++ b/doc/json/indicator.json @@ -24,7 +24,7 @@ "negate" : true, "producer" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "severity" : "Critical", "short_description" : "string", "source" : "string", diff --git a/doc/json/judgement.json b/doc/json/judgement.json index b4676ea3..109955f3 100644 --- a/doc/json/judgement.json +++ b/doc/json/judgement.json @@ -20,7 +20,7 @@ "reason" : "string", "reason_uri" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "severity" : "Critical", "source" : "string", "source_uri" : "string", diff --git a/doc/json/malware.json b/doc/json/malware.json index 5312f285..1ea6e19b 100644 --- a/doc/json/malware.json +++ b/doc/json/malware.json @@ -17,7 +17,7 @@ "labels" : [ "adware" ], "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", diff --git a/doc/json/note.json b/doc/json/note.json index 753596ca..1371eb11 100644 --- a/doc/json/note.json +++ b/doc/json/note.json @@ -17,7 +17,7 @@ "entity_type" : "string" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "source" : "string", "source_uri" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", diff --git a/doc/json/relationship.json b/doc/json/relationship.json index f564a21a..882ee929 100644 --- a/doc/json/relationship.json +++ b/doc/json/relationship.json @@ -12,7 +12,7 @@ "language" : "string", "relationship_type" : "attributed-to", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_ref" : "string", diff --git a/doc/json/sighting.json b/doc/json/sighting.json index 5d196804..5ecdd872 100644 --- a/doc/json/sighting.json +++ b/doc/json/sighting.json @@ -275,7 +275,7 @@ } ], "resolution" : "detected", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "sensor" : "endpoint", "sensor_coordinates" : { "observables" : [ { diff --git a/doc/json/target_record.json b/doc/json/target_record.json index 437c50e9..d373028d 100644 --- a/doc/json/target_record.json +++ b/doc/json/target_record.json @@ -11,7 +11,7 @@ "id" : "string", "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", diff --git a/doc/json/tool.json b/doc/json/tool.json index a28e9bb3..9ed5a137 100644 --- a/doc/json/tool.json +++ b/doc/json/tool.json @@ -16,7 +16,7 @@ "labels" : [ "credential-exploitation" ], "language" : "string", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", diff --git a/doc/json/vulnerability.json b/doc/json/vulnerability.json index 1478162d..91e146f1 100644 --- a/doc/json/vulnerability.json +++ b/doc/json/vulnerability.json @@ -108,7 +108,7 @@ "last_modified_date" : "2016-01-01T01:01:01.000Z", "published_date" : "2016-01-01T01:01:01.000Z", "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", diff --git a/doc/json/weakness.json b/doc/json/weakness.json index 7efcec04..e9dec137 100644 --- a/doc/json/weakness.json +++ b/doc/json/weakness.json @@ -68,7 +68,7 @@ "strategy" : "Attack Surface Reduction" } ], "revision" : 10, - "schema_version" : "1.3.29", + "schema_version" : "1.3.30", "short_description" : "string", "source" : "string", "source_uri" : "string", diff --git a/doc/structures/bundle.md b/doc/structures/bundle.md index 615f98b1..226cf320 100644 --- a/doc/structures/bundle.md +++ b/doc/structures/bundle.md @@ -4456,6 +4456,7 @@ A URL reference to an external resource. |[categories](#propertycategories-incidentcategorystringlist)|IncidentCategoryString List|A set of categories for this incident.|| |[description](#propertydescription-markdownstring)|MarkdownString|A description of object, which may be detailed.|| |[detection_sources](#propertydetection_sources-medstringstringlist)|MedStringString List|A set of sources that contributed threat detections to the incident.|| +|[detection_status](#propertydetection_status-detectionstatusstring)|DetectionStatusString|Represents the state of an incident within the incident generation process, indicating whether the incident is actively receiving updates or is no longer being updated.|| |[discovery_method](#propertydiscovery_method-discoverymethodstring)|DiscoveryMethodString|Identifies how the incident was discovered.|| |[external_ids](#propertyexternal_ids-stringlist)|String List|It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.|| |[external_references](#propertyexternal_references-externalreferenceobjectlist)|*ExternalReference* Object List|Specifies a list of external references which refers to non-CTIM information. Similar to `external_ids` field with major differences: - `external_ids` field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The `external_ids` field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - `external_references` field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The `external_references` field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.|| @@ -4564,6 +4565,22 @@ A set of sources that contributed threat detections to the incident. * *MedString* String with at most 2048 characters. + +## Property detection_status ∷ DetectionStatusString + +Represents the state of an incident within the incident generation process, indicating whether the incident is actively receiving updates or is no longer being updated. + +* This entry is optional + + + * *DetectionStatus* Represents the state of an incident within the incident generation process, indicating whether the incident is actively receiving updates or is no longer being updated. + * Allowed Values: + * active + * inactive_expired + * inactive_merged + * inactive_oversized + * inactive_user_closed + ## Property discovery_method ∷ DiscoveryMethodString diff --git a/doc/structures/casebook.md b/doc/structures/casebook.md index 2d726d7d..cb38a247 100644 --- a/doc/structures/casebook.md +++ b/doc/structures/casebook.md @@ -11403,6 +11403,7 @@ A URL reference to an external resource. |[categories](#propertycategories-incidentcategorystringlist)|IncidentCategoryString List|A set of categories for this incident.|| |[description](#propertydescription-markdownstring)|MarkdownString|A description of object, which may be detailed.|| |[detection_sources](#propertydetection_sources-medstringstringlist)|MedStringString List|A set of sources that contributed threat detections to the incident.|| +|[detection_status](#propertydetection_status-detectionstatusstring)|DetectionStatusString|Represents the state of an incident within the incident generation process, indicating whether the incident is actively receiving updates or is no longer being updated.|| |[discovery_method](#propertydiscovery_method-discoverymethodstring)|DiscoveryMethodString|Identifies how the incident was discovered.|| |[external_ids](#propertyexternal_ids-stringlist)|String List|It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.|| |[external_references](#propertyexternal_references-externalreferenceobjectlist)|*ExternalReference* Object List|Specifies a list of external references which refers to non-CTIM information. Similar to `external_ids` field with major differences: - `external_ids` field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The `external_ids` field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - `external_references` field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The `external_references` field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.|| @@ -11511,6 +11512,22 @@ A set of sources that contributed threat detections to the incident. * *MedString* String with at most 2048 characters. + +## Property detection_status ∷ DetectionStatusString + +Represents the state of an incident within the incident generation process, indicating whether the incident is actively receiving updates or is no longer being updated. + +* This entry is optional + + + * *DetectionStatus* Represents the state of an incident within the incident generation process, indicating whether the incident is actively receiving updates or is no longer being updated. + * Allowed Values: + * active + * inactive_expired + * inactive_merged + * inactive_oversized + * inactive_user_closed + ## Property discovery_method ∷ DiscoveryMethodString diff --git a/doc/structures/incident.md b/doc/structures/incident.md index 5af00ce4..70bb59bf 100644 --- a/doc/structures/incident.md +++ b/doc/structures/incident.md @@ -19,6 +19,7 @@ |[categories](#propertycategories-incidentcategorystringlist)|IncidentCategoryString List|A set of categories for this incident.|| |[description](#propertydescription-markdownstring)|MarkdownString|A description of object, which may be detailed.|| |[detection_sources](#propertydetection_sources-medstringstringlist)|MedStringString List|A set of sources that contributed threat detections to the incident.|| +|[detection_status](#propertydetection_status-detectionstatusstring)|DetectionStatusString|Represents the state of an incident within the incident generation process, indicating whether the incident is actively receiving updates or is no longer being updated.|| |[discovery_method](#propertydiscovery_method-discoverymethodstring)|DiscoveryMethodString|Identifies how the incident was discovered.|| |[external_ids](#propertyexternal_ids-stringlist)|String List|It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.|| |[external_references](#propertyexternal_references-externalreferenceobjectlist)|*ExternalReference* Object List|Specifies a list of external references which refers to non-CTIM information. Similar to `external_ids` field with major differences: - `external_ids` field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The `external_ids` field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - `external_references` field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The `external_references` field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.|| @@ -127,6 +128,22 @@ A set of sources that contributed threat detections to the incident. * *MedString* String with at most 2048 characters. + +## Property detection_status ∷ DetectionStatusString + +Represents the state of an incident within the incident generation process, indicating whether the incident is actively receiving updates or is no longer being updated. + +* This entry is optional + + + * *DetectionStatus* Represents the state of an incident within the incident generation process, indicating whether the incident is actively receiving updates or is no longer being updated. + * Allowed Values: + * active + * inactive_expired + * inactive_merged + * inactive_oversized + * inactive_user_closed + ## Property discovery_method ∷ DiscoveryMethodString diff --git a/src/ctim/examples/incidents.cljc b/src/ctim/examples/incidents.cljc index 9a67539f..c11aac48 100644 --- a/src/ctim/examples/incidents.cljc +++ b/src/ctim/examples/incidents.cljc @@ -28,6 +28,7 @@ :source "source" :source_uri "http://example.com" :detection_sources ["Cisco XDR Analytics", "Microsoft Defender for Endpoint"] + :detection_status "active" :confidence "High" :categories ["Denial of Service" "Improper Usage"] diff --git a/src/ctim/schemas/incident.cljc b/src/ctim/schemas/incident.cljc index 9235952f..01147741 100644 --- a/src/ctim/schemas/incident.cljc +++ b/src/ctim/schemas/incident.cljc @@ -142,6 +142,10 @@ "An Incident may be created manually by a SOAR analyst or SOC operator, or " "through an automated correlation or aggregation rule or engine that matches a " "specific set of events or alerts, and promotes them to Incident(s).")) + (f/entry :detection_status v/DetectionStatus + :description (str "Represents the state of an incident within the incident " + "generation process, indicating whether the incident is " + "actively receiving updates or is no longer being updated.")) (f/entry :severity v/Severity :description (str "Represents the potential impact of an incident on an organization's security " "posture and business operations. It helps organizations prioritize and allocate " diff --git a/src/ctim/schemas/vocabularies.cljc b/src/ctim/schemas/vocabularies.cljc index f63a02cf..979845ef 100644 --- a/src/ctim/schemas/vocabularies.cljc +++ b/src/ctim/schemas/vocabularies.cljc @@ -1600,3 +1600,17 @@ (def-enum-type PromotionMethod promotion-method :open? false :gen (cs/gen promotion-method)) + +(def detection-status + #{"active" + "inactive_merged" + "inactive_expired" + "inactive_oversized" + "inactive_user_closed"}) + +(def-enum-type DetectionStatus detection-status + :open? false + :gen (cs/gen detection-status) + :description (str "Represents the state of an incident within the incident " + "generation process, indicating whether the incident is " + "actively receiving updates or is no longer being updated."))