Remove Alert?

[sparrell]

Note this is a more specific issue than issue #5

PROBLEM

The CTI STIX group has suggested that openc2 stick to C2 and that alert is not C2. Ie openc2 can tell an actuator the conditions under which to alert, but that the alert would come thru a 'normal' alert channel. This is in keeping with the functional split we are trying to maintain.

---

POTENTIAL SOLUTION

Remove Alert from LDD

[davaya]

Agree that alert is out of scope for C2. Many mechanisms exist for carrying alerts, including event logging messages, push notification services, pub/sub channels, SNMP traps, etc.

[jmbrule]

I am not going to argue that ALERT fits within the sensing block of IACD and I agree that we want to maintain the separation/ decoupling of ACD blocks. From a pragmatic point of view, we are going to need a means to fire events that's that the orchestrator or whatever can respond to. I am NOT stating that the openC2 channel must receive every byte of data from a sensor or actuator. I am saying that I see value in receiving an alert from an actuator that could be used to trigger some course of action.
My 'vote' is to keep ALERT in the LDD and we will add text along the lines that the alert is not intended for 'routine' sensing, but is available to alert the orchestrator/ mission manager should some threshold be breached

[romanojd]

I still think alert is just another type of response.

response = request | status | ack | alert

And from my viewpoint, this is the best of both worlds:

• There is only a single response message in OpenC2
• The value of the response could be contextualized for different types
• The format is analogous to the action syntax (action = deny | stop | query | ...)