Incident Object
Discrete instance of indicators affecting an organization as well as information associated with incident response
| Property | Type | Description | Required? |
|---|---|---|---|
| confidence | HighMedLow String | level of confidence held in the characterization of this Incident | ✓ |
| id | String | Globally unique URI identifying this object. | ✓ |
| incident_time | IncidentTime Object | relevant time values associated with this Incident | ✓ |
| schema_version | String | CTIM schema version for this entity | ✓ |
| status | Status String | current status of the incident | ✓ |
| type | IncidentTypeIdentifier String | ✓ | |
| categories | IncidentCategory String List | a set of categories for this incident | |
| description | Markdown String | A description of object, which may be detailed. | |
| discovery_method | DiscoveryMethod String | identifies how the incident was discovered | |
| external_ids | String List | ||
| external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
| intended_effect | IntendedEffect String | specifies the suspected intended effect of this incident | |
| language | ShortString String | The human language this object is specified in. | |
| revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
| short_description | MedString String | A single line, short summary of the object. | |
| source | MedString String | ||
| source_uri | String | ||
| timestamp | Inst (Date) | The time this object was created at, or last modified. | |
| title | ShortString String | A short title for this object, used as primary display and reference value | |
| tlp | TLP String | Specification for how, and to whom, this object can be shared. |
Property categories ∷ IncidentCategory String List
a set of categories for this incident
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- Allowed Values:
- Denial of Service
- Exercise/Network Defense Testing
- Improper Usage
- Investigation
- Malicious Code
- Scans/Probes/Attempted Access
- Unauthorized Access
- Allowed Values:
Property confidence ∷ HighMedLow String
level of confidence held in the characterization of this Incident
-
This entry is required
- Allowed Values:
- High
- Info
- Low
- Medium
- None
- Unknown
- Reference: HighMedLowVocab
- Allowed Values:
Property description ∷ Markdown String
A description of object, which may be detailed.
-
This entry is optional
- Markdown string with at most 5000 characters
Property discovery_method ∷ DiscoveryMethod String
identifies how the incident was discovered
-
This entry is optional
- Allowed Values:
- Agent Disclosure
- Antivirus
- Audit
- Customer
- External - Fraud Detection
- Financial Audit
- HIPS
- IT Audit
- Incident Response
- Internal - Fraud Detection
- Law Enforcement
- Log Review
- Monitoring Service
- NIDS
- Security Alarm
- Unknown
- Unrelated Party
- User
- Allowed Values:
Property external_ids ∷ String List
- This entry is optional
- This entry's type is sequential (allows zero or more values)
Property external_references ∷ ExternalReference Object List
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- ExternalReference Object Value
- Details: ExternalReference Object
Property id ∷ String
Globally unique URI identifying this object.
-
This entry is required
- IDs are URIs, for example
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.
- IDs are URIs, for example
Property incident_time ∷ IncidentTime Object
relevant time values associated with this Incident
- This entry is required
- Dev Notes: Was 'time'; renamed for clarity
- IncidentTime Object Value
- Details: IncidentTime Object
Property intended_effect ∷ IntendedEffect String
specifies the suspected intended effect of this incident
-
This entry is optional
- Allowed Values:
- Account Takeover
- Advantage
- Advantage - Economic
- Advantage - Military
- Advantage - Political
- Brand Damage
- Competitive Advantage
- Degradation of Service
- Denial and Deception
- Destruction
- Disruption
- Embarrassment
- Exposure
- Extortion
- Fraud
- Harassment
- ICS Control
- Theft
- Theft - Credential Theft
- Theft - Identity Theft
- Theft - Intellectual Property
- Theft - Theft of Proprietary Information
- Traffic Diversion
- Unauthorized Access
- Allowed Values:
Property language ∷ ShortString String
The human language this object is specified in.
-
This entry is optional
- String with at most 1024 characters
Property revision ∷ Integer
A monotonically increasing revision, incremented each time the object is changed.
-
This entry is optional
- Zero, or a positive integer
Property schema_version ∷ String
CTIM schema version for this entity
-
This entry is required
- A semantic version matching the CTIM version against which this object should be valid.
Property short_description ∷ MedString String
A single line, short summary of the object.
-
This entry is optional
- String with at most 2048 characters
Property source ∷ MedString String
-
This entry is optional
- String with at most 2048 characters
Property source_uri ∷ String
-
This entry is optional
- A URI
Property status ∷ Status String
current status of the incident
-
This entry is required
- Allowed Values:
- Closed
- Containment Achieved
- Incident Reported
- New
- Open
- Rejected
- Restoration Achieved
- Stalled
- Allowed Values:
Property timestamp ∷ Inst (Date)
The time this object was created at, or last modified.
-
This entry is optional
- Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property title ∷ ShortString String
A short title for this object, used as primary display and reference value
-
This entry is optional
- String with at most 1024 characters
Property tlp ∷ TLP String
Specification for how, and to whom, this object can be shared.
-
This entry is optional
- TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
- amber
- green
- red
- white
Property type ∷ IncidentTypeIdentifier String
-
This entry is required
- Must equal: "incident"
ExternalReference Object
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
| Property | Type | Description | Required? |
|---|---|---|---|
| source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
| description | Markdown String | ||
| external_id | String | An identifier for the external reference content. | |
| hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
| url | String | A URL reference to an external resource |
- Reference: External Reference
Property description ∷ Markdown String
-
This entry is optional
- Markdown string with at most 5000 characters
Property external_id ∷ String
An identifier for the external reference content.
- This entry is optional
Property hashes ∷ String List
Specifies a dictionary of hashes for the contents of the url.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
Property source_name ∷ MedString String
The source within which the external-reference is defined (system, registry, organization, etc.)
-
This entry is required
- String with at most 2048 characters
Property url ∷ String
A URL reference to an external resource
-
This entry is optional
- A URI
IncidentTime Object
| Property | Type | Description | Required? |
|---|---|---|---|
| opened | Inst (Date) | ✓ | |
| closed | Inst (Date) | ||
| discovered | Inst (Date) | ||
| rejected | Inst (Date) | ||
| remediated | Inst (Date) | ||
| reported | Inst (Date) |
Property closed ∷ Inst (Date)
-
This entry is optional
- Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property discovered ∷ Inst (Date)
-
This entry is optional
- Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property opened ∷ Inst (Date)
-
This entry is required
- Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property rejected ∷ Inst (Date)
-
This entry is optional
- Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property remediated ∷ Inst (Date)
-
This entry is optional
- Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property reported ∷ Inst (Date)
-
This entry is optional
- Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Can you improve this documentation? These fine people already did:
Stephen Sloan, Guillaume Buisson, Yann Esposito (Yogsototh), Craig Brozefsky, Matthieu Sprunck & Yann EspositoEdit on GitHub
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close