Merge pull request #46 from azainimitre/main

Added examples and updated adoc
oasis-open · Dec 4, 2023 · db42a5e · db42a5e
2 parents 31b3936 + c9d8f1f
commit db42a5e
Show file tree

Hide file tree

Showing 17 changed files with 393 additions and 1 deletion.
diff --git a/extension-definition-specifications/incident-core/Incident Extension Suite.adoc b/extension-definition-specifications/incident-core/Incident Extension Suite.adoc
@@ -241,11 +241,20 @@ This can be used to supplement the created_by_ref in cases where external author
 |===
 // end::incident-relationships[]
 
+==== 2.1.1 Example
+
+[source,json]
+----
+include::examples/example_2.1.json[]
+----
+
 <<<
 [[event]]
 === 2.2. Event
 
 This new sdo extension *MUST* use [stixliteral]#extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e# as its extension ID.
+
+
 [width="100%",cols="100%",stripes=odd]
 |===
 ^|[stixtr]*Required Common Properties*
@@ -428,11 +437,19 @@ For example, a dropper running allowed a ransomware tool to be downloaded and ru
 
 // end::event-relationships[]
 
+==== 2.2.2 Example
+
+[source,json]
+----
+include::examples/example_2.2.json[]
+----
+
 <<<
 [[impact]]
 === 2.3. Impact
 This new sdo extension *MUST* use [stixliteral]#extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9# as its extension ID.
 
+
 [width="100%",cols="100%",stripes=odd]
 |===
 ^|[stixtr]*Required Common Properties*
@@ -580,6 +597,13 @@ This value *MUST* be between 0 to 100. This can be translated into qualitative v
 
 |===
 
+===== 2.3.2.1.1 Availability Impact Example
+
+[source,json]
+----
+include::examples/example_2.3.2.1.1.json[]
+----
+
 <<<
 
 ===== 2.3.2.2. Confidentiality Impact Extension
@@ -613,6 +637,13 @@ The values of this property *MUST* come from the [stixtype]#<<incident-confident
 |The amount of data that was compromised in bytes. The value of this property *MUST NOT* be negative.
 |===
 
+===== 2.3.2.2.1 Confidentiality Impact Example
+
+[source,json]
+----
+include::examples/example_2.3.2.2.1.json[]
+----
+
 ===== 2.3.2.3. External Impact Extension
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -630,6 +661,13 @@ The value of this property *SHOULD* come from the [stixtype]#<<external-impact-o
 
 <<<
 
+===== 2.3.2.3.1 External Impact Example
+
+[source,json]
+----
+include::examples/example_2.3.2.3.1.json[]
+----
+
 ===== 2.3.2.4. Integrity Impact Extension
 
 *Type Name:* [stixtype]#integrity-impact#
@@ -668,6 +706,13 @@ Including an entry that with an alteration of none and no information_type indic
 
 <<<
 
+===== 2.3.2.4.1 Integrity Impact Example
+
+[source,json]
+----
+include::examples/example_2.3.2.4.1.json[]
+----
+
 ===== 2.3.2.5. Monetary Impact Extension
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -731,6 +776,13 @@ This value *MUST* be included if the *max_amount* property is included.
 
 <<<
 
+===== 2.3.2.5.1 Monetary Impact Example
+
+[source,json]
+----
+include::examples/example_2.3.2.5.1.json[]
+----
+
 ===== 2.3.2.6. Physical Impact Extension
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -757,6 +809,13 @@ Including an entry with an *impact_type* of none and no asset_type indicates tha
 
 |===
 
+===== 2.3.2.6.1 Physical Impact Example
+
+[source,json]
+----
+include::examples/example_2.3.2.6.1.json[]
+----
+
 ===== 2.3.2.7. Traceability Impact Extension
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -773,10 +832,19 @@ The value of this property *MUST* come from the [stixtype]#<<traceability-enum,t
 
 |===
 
+===== 2.3.2.7.1 Traceability Impact Example
+
+[source,json]
+----
+include::examples/example_2.3.2.7.1.json[]
+----
+
 <<<
 [[task]]
 === 2.4. Task
 
+
+
 [width="100%",cols="100%",stripes=odd]
 |===
 ^|[stixtr]*Required Common Properties*
@@ -993,6 +1061,13 @@ Using these embedded relationships ensure that an incomplete sequence cannot be
 
 // end::task-relationships[]
 
+==== 2.4.2 Example
+
+[source,json]
+----
+include::examples/example_2.4.json[]
+----
+
 <<<
 
 == 3. Additional Sub-Objects Types
@@ -1071,12 +1146,20 @@ Default value is [stixliteral]#true#.
 
 |===
 
+==== 3.2.1 Example
+
+[source,json]
+----
+include::examples/example_3.2.json[]
+----
+
 [[event-sequence-entry]]
 === 3.3. Event Sequence Object Type
 
 Event sequence entries store references to subsequent steps for an event entry.
 As these are always stored in an array of steps within an array of event entries validation rules for *event_ref* *MUST* be performed against the entire array of event entries.
 
+
 *Type Name:* [stixtype]#event-sequence-entry#
 
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -1107,10 +1190,17 @@ The values of this property *MUST* come from the [stixtype]#<<activity-transitio
 
 |===
 
+==== 3.3.1 Example
+
+[source,json]
+----
+include::examples/example_3.3.json[]
+----
+
 <<<
 
 [[incident-score]]
-=== 3.4. Incident Score Object Type
+=== 3.4 Incident Score Object Type
 
 *Type Name:* [stixtype]#incident-score#
 [width="100%",cols="37%,23%,40%",options="header",]
@@ -1133,6 +1223,12 @@ The values of this property *MUST* come from the [stixtype]#<<activity-transitio
 |===
 
 <<<
+==== 3.4.1 Example
+
+[source,json]
+----
+include::examples/example_3.4.json[]
+----
 
 [[state-change]]
 === 3.5. State Change Object Type
@@ -1177,6 +1273,12 @@ For example, an event causing a network outage.
 If the *initial_ref* is populated this *MUST* reference the same type of SDO.
 
 |===
+==== 3.5.1 Example
+
+[source,json]
+----
+include::examples/example_3.5.json[]
+----
 
 <<<
 
@@ -1211,6 +1313,13 @@ Default value is [stixliteral]#true#.
 
 |===
 
+==== 3.6.1 Example
+
+[source,json]
+----
+include::examples/example_3.6.json[]
+----
+
 [[task-sequence-entry]]
 === 3.7. Task Sequence Object Type
 
@@ -1247,6 +1356,12 @@ The values of this property *MUST* come from the [stixtype]#<<activity-transitio
 
 |===
 
+==== 3.7.1 Example
+
+[source,json]
+----
+include::examples/example_3.7.json[]
+----
 <<<
 
 == 4. Vocabularies

diff --git a/extension-definition-specifications/incident-core/examples/example_2.1.json b/extension-definition-specifications/incident-core/examples/example_2.1.json
@@ -0,0 +1,46 @@
+{
+    "type": "incident",
+    "id": "incident--b0e7e6a5-6e2c-4a0b-8d5a-8a5e92a5a5bc",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
+    "determination": "confirmed",
+    "extension_type": "property-extension",
+    "investigation_status": "open",
+    "criticality": 70,
+    "detection_methods": [
+        "automated-tool",
+        "human-review"
+    ],
+    "events": [
+        {
+            "event_ref": "event--9ca38544-c247-45d9-9e33-957ba7c9e119"
+        }
+    ],
+    "impact_refs": [
+        "impact--7a5806e4-0f37-4c48-9a50-7301bff4b195"
+    ],
+    "impacted_entity_counts": {
+        "individual": 100,
+        "employee": 70,
+        "customer-individual": 30
+    },
+    "incident_types": [
+        "hosting-phishing-sites"
+    ],
+    "recoverability": "regular",
+    "scores": [
+        {
+            "incident-score": {
+                "name": "ExampleSystem Automated Exposure Score",
+                "value": 75.5,
+                "description": "The score is calculated based on the severity of the incident and the potential impact on the organization."
+            }
+        }
+    ],
+    "tasks": [
+        {
+            "task_ref": "task--a45aaed9-6504-4f95-982e-78508726eb5a"
+        }
+    ]
+}
diff --git a/extension-definition-specifications/incident-core/examples/example_2.2.json b/extension-definition-specifications/incident-core/examples/example_2.2.json
@@ -0,0 +1,27 @@
+{
+    "type": "event",
+    "id": "event--68e1e976-7e3b-4233-8bde-1a5dbb17a9a6",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
+    "status": "ongoing",
+    "changed_objects": [
+        {
+            "state_change": {
+                "state_change_type": "escalation",
+                "initial_ref": "impact--d1e4f6c7-3b1a-4b5c-8a5a-9e7b8a9a5b6c",
+                "result_ref": "impact--c1f2d3e4-5b6c-7a8d-9e0a-1b2c3d4e5f6g"
+            }
+        }
+    ],
+    "description": "Phishing attack on company email accounts.",
+    "end_time": "2023-11-22T15:30:00Z",
+    "end_time_fidelity": "minute",
+    "event_types": [
+        "phishing"
+    ],
+    "goal": "Gain unauthorized access to sensitive information.",
+    "name": "Phishing Attack",
+    "start_time": "2023-11-22T14:30:00Z",
+    "start_time_fidelity": "minute"
+}
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.1.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.1.1.json
@@ -0,0 +1,25 @@
+{
+    "type": "impact",
+    "id": "impact--de425325-5ac8-4f4b-ace7-054301b80863",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
+    "impact_category": "availability",
+    "criticality": 70,
+    "description": "Loss of availability for a critical service.",
+    "end_time": "2023-11-22T16:00:00Z",
+    "end_time_fidelity": "minute",
+    "impacted_entity_counts": {
+        "system": 1
+    },
+    "impacted_refs": [
+        "infrastructure--11c25d0e-48f5-4491-960a-0da71c4e0d16"
+    ],
+    "start_time": "2023-11-22T15:30:00Z",
+    "start_time_fidelity": "minute",
+    "extensions": {
+        "availability-impact": {
+            "availability_impact": 90
+        }
+    }
+}
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.2.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.2.1.json
@@ -0,0 +1,19 @@
+{
+    "type": "impact",
+    "id": "impact--c08d9e5a-ba7e-465c-96d5-659683aa9395",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
+    "impact_category": "confidentiality",
+    "criticality": 80,
+    "description": "Confidential customer data was leaked.",
+    "start_time": "2023-11-22T15:30:00Z",
+    "start_time_fidelity": "minute",
+    "extensions": {
+        "confidentiality-impact": {
+            "information_type": "customer-data",
+            "loss_type": "unauthorized-disclosure",
+            "record_count": 1000
+        }
+    }
+}
diff --git a/extension-definition-specifications/incident-core/examples/example_2.3.2.3.1.json b/extension-definition-specifications/incident-core/examples/example_2.3.2.3.1.json
@@ -0,0 +1,17 @@
+{
+    "type": "impact",
+    "id": "impact--765719be-0e65-4c40-8024-a7295c90da35",
+    "created": "2023-11-22T15:30:00Z",
+    "modified": "2023-11-22T15:30:00Z",
+    "spec_version": "2.1",
+    "impact_category": "external",
+    "criticality": 60,
+    "description": "Negative impact on the company's reputation.",
+    "start_time": "2023-11-22T15:30:00Z",
+    "start_time_fidelity": "minute",
+    "extensions": {
+        "external-impact": {
+            "impact_type": "reputation"
+        }
+    }
+}