Created
July 25, 2017 16:47
-
-
Save rjsmitre/9238c1a3b8302ef1693cdc755011aaf3 to your computer and use it in GitHub Desktop.
STIX 2.1 Event Modeling Example #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This shows a five-step sequence. This is NOTIONAL - let's not get hung up on whether or not your process | |
| works this exact way or not but rather if this is the sort of data we need to be able to represent in | |
| support of this use-case. | |
| 1. Automatically-generated alert converted to an event | |
| 2. Second automatically-generated alert | |
| 3. Ticket opened and assigned to an analyst to investigate | |
| 4. Both machines are remediated and malware confirmed | |
| 5. Incident confirmed - analyst adds context |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| event: | |
| name: Alert 12345 | |
| labels: [ alert ] | |
| description: Auto-generated malware alert from Foobar system for host XXXXXX | |
| event_status: open | |
| timestamps: | |
| reported: 2017-07-01T04:03:02Z | |
| detection_mechanism: [ int-hids ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| event: | |
| name: Alert 12345 | |
| labels: [ alert ] | |
| description: Auto-generated malware alert from Foobar system for host XXXXXX | |
| event_status: open | |
| timestamps: | |
| reported: 2017-07-01T04:03:02Z | |
| detection_mechanism: [ int-hids ] | |
| event: | |
| name: Alert 12378 | |
| labels: [ alert ] | |
| description: Auto-generated malware alert from Foobar system for host YYYYYY | |
| event_status: open | |
| timestamps: | |
| reported: 2017-07-01T05:13:02Z | |
| detection_mechanism: [ int-hids ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| event: | |
| name: Alert 12345 | |
| labels: [ alert ] | |
| description: Auto-generated malware alert from Foobar system for host XXXXXX | |
| event_status: open | |
| timestamps: | |
| reported: 2017-07-01T04:03:02Z | |
| detection_mechanism: [ int-hids ] | |
| event: | |
| name: Alert 12378 | |
| labels: [ alert ] | |
| description: Auto-generated malware alert from Foobar system for host YYYYYY | |
| timestamps: | |
| reported: 2017-07-01T05:13:02Z | |
| detection_mechanism: [ int-hids ] | |
| event: | |
| name: Inc7856 | |
| labels: [ investigation ] | |
| description: Possible malware infection | |
| event_status: open | |
| timestamps: | |
| reported: 2017-07-01T04:03:02Z | |
| detection_mechanism: [ int-hids ] | |
| contacts: | |
| responder: Mary Jones | |
| identity: | |
| name: Mary Jones | |
| identity_class: individual | |
| contact_info: "+1703-983-1234 [email protected]" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| event: | |
| name: Alert 12345 | |
| labels: [ alert ] | |
| description: Auto-generated malware alert from Foobar system for host XXXXXX | |
| event_status: remediated | |
| timestamps: | |
| reported: 2017-07-01T04:03:02Z | |
| remediated: 2017-07-02T13:56:23Z | |
| detection_mechanism: [ int-hids ] | |
| event: | |
| name: Alert 12378 | |
| labels: [ alert ] | |
| description: Auto-generated malware alert from Foobar system for host YYYYYY | |
| event_status: remediated | |
| timestamps: | |
| reported: 2017-07-01T05:13:02Z | |
| remediated: 2017-07-02T14:12:02 | |
| detection_mechanism: [ int-hids ] | |
| event: | |
| name: Inc7856 | |
| labels: [ investigation ] | |
| description: Confirmed malware infection | |
| event_status: open | |
| timestamps: | |
| reported: 2017-07-01T04:03:02Z | |
| remediated: 2017-07-02T14:12:02 | |
| detection_mechanism: [ int-hids ] | |
| contacts: | |
| responder: Mary Jones | |
| identity: | |
| name: Mary Jones | |
| identity_class: individual | |
| contact_info: "+1703-983-1234 [email protected]" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| event: | |
| name: Alert 12345 | |
| labels: [ alert ] | |
| description: Auto-generated malware alert from Foobar system for host XXXXXX | |
| event_status: remediated | |
| timestamps: | |
| reported: 2017-07-01T04:03:02Z | |
| remediated: 2017-07-02T13:56:23Z | |
| detection_mechanism: [ int-hids ] | |
| event: | |
| name: Alert 12378 | |
| labels: [ alert ] | |
| description: Auto-generated malware alert from Foobar system for host YYYYYY | |
| event_status: remediated | |
| timestamps: | |
| reported: 2017-07-01T05:13:02Z | |
| remediated: 2017-07-02T14:12:02 | |
| detection_mechanism: [ int-hids ] | |
| event: | |
| name: Inc7856 | |
| labels: [ incident ] | |
| description: Investment banking division had two machines popped by Toast Crew | |
| event_status: remediated | |
| timestamps: | |
| reported: 2017-07-01T04:03:02Z | |
| remediated: 2017-07-02T14:12:02 | |
| detection_mechanism: [ int-hids ] | |
| contacts: | |
| responder: Mary Jones | |
| intended_effect: theft-intellectual property | |
| impact_scope: | |
| systems: 2 | |
| users: 2 | |
| identity: | |
| name: Mary Jones | |
| identity_class: individual | |
| contact_info: "+1703-983-1234 [email protected]" | |
| campaign: | |
| name: Burnt Toast | |
| description: Targeted series of attacks against FIN orgs to exfiltrate dealbooks | |
| objective: Obtain dealbooks for pending M&A activity | |
| threat-actor: | |
| name: Toast Krew | |
| description: Toast Krew is a shadowy network of evil-doers | |
| relationship: | |
| relationship_type: part-of | |
| source_ref: Alert 12345 | |
| target_ref: Inc7856 | |
| relationship: | |
| relationship_type: part-of | |
| source_ref: Alert 12378 | |
| target_ref: Inc7856 | |
| relationship: | |
| relationship_type: attributed-to | |
| source_ref: Inc7856 | |
| target_ref: Burnt Toast | |
| relationship: | |
| relationship_type: attributed-to | |
| source_ref: Burnt Toast | |
| target_ref: Toast Krew | |
| relationship: | |
| relationship_type: attributed-to | |
| source_ref: Inc7856 | |
| target_ref: Toast Krew |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment