You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
token = "<your Jupyter Lab token, from startup>" # Get this from the terminal when Jupyter Lab starts up
layer_url = "http://localhost:8888/files/layer.json" # Get this from right-clicking the file in the Jupyter Lab file manager and hitting Copy Download URL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A tactic is a column in one or more ATT&CK matrices. It describes the tactical "goal" an adversary might want to achieve by carrying out the techniques under that tactics.
Tactics are not necessarily specific to any given matrix or platform. Some tactics are shared, some are not.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We have good consensus in the community that IEP should be included as part of STIX 2.1. The technical mechanism that we do that (a data marking definition) is very straightforward and is described in the playground. There are several open questions though, that can be resolved as a combination of text in the specification itself, in the conformance section of the specification, or in the interoperability specification.
Do we lock IEP specifically to a single version? Locking it to one version makes compatibility easier to state, but precludes the ability for newer versions of IEP to be used in STIX without a modification to STIX. Allowing it to remain open makes compatibility more difficult (STIX 2.1 and IEP 2.0 incompatible with STIX 2.1 and IEP 2.2) but allows IEP to evolve and be used ahead of STIX.
How do we talk about the overlap of IEP and TLP? We could take a
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Option 1: Current Approach (Sighting as special relationship)
In the current approach (consensus at the DC3 F2F), sighting is essentially just a special relationship between observation and indicator (or, other object types that can be sighted). Thus, it doesn't have many data fields itself other than those just to link things between observations.
Pros and Cons
Has a sighting object and an observation object: Kind of a pro because people talk about these things, kind of a con because other people get confused by the distinction
count/start/end only on observation, so you don't have to deal with it in two places, or figure out how to handle inconsistencies