Merge branch 'fix-incident-schema'

Author: rpiazza

extension-definition-specifications/incident-ef7/event/extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e.json

@@ -4,11 +4,10 @@
     "title": "Event",
     "description": "An extension for recording events in STIX.",
     "type": "object",
-    "unevaluatedProperties": false,
     "required": [
-        "extensions"
-        , "status"
-        , "type"
+        "extensions",
+	"status",
+	"type"
     ],
     "allOf": [
         {
@@ -33,17 +32,12 @@
                         }
                     }
                 },
-                "created": {},
-                "modified": {},
-                "spec_version": {},
-                "labels": {},
-                "external_references": {},
                 "type": {
                     "type": "string",
                     "const": "event"
                 },
                 "id": {
-                    "type": "string",
+                    "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
                     "pattern": "^event--"
                 },
                 "event_types": {
@@ -131,72 +125,15 @@
                         "pattern": "^sighting--"
                     }
                 },
-                "subevents": {
-                    "type": "array",
-                    "minItems": 1,
-                    "items": {
-                        "$ref": "#/definitions/Event_Sequence"
-                    }
-                }
-            }
-        }
-    ],
-    "definitions": {
-        "Event_Sequence": {
-            "type": "object",
-            "additionalProperties": false,
-            "required": ["event_ref"],
-            "properties": {
-                "event_ref": {
-                    "type": "string",
-                    "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
-                    "pattern": "^event--",
-                    "description": "The event"
-                },
-                "sequence_start": {
-                    "type": "boolean",
-                    "description": "If this event is the start of a sequence.",
-                    "default": true
-                },
-                "next_steps": {
-                    "type": "array",
-                    "minItems": 1,
-                    "items": {
-                        "type": "object",
-                        "additionalProperties": false,
-                        "required": [
-                            "condition_type",
-                            "event_ref",
-                            "transition_type"
-                        ],
-                        "properties": {
-                            "condition_type": {
-                                "type": "string",
-                                "enum": [
-                                    "optional",
-                                    "required",
-                                    "unknown"
-                                ]
-                            },
-                            "event_ref": {
-                                "type": "string",
-                                "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
-                                "pattern": "^event--"
-                            },
-                            "transition_type": {
-                                "type": "string",
-                                "description": "What end-state causes the target to begin",
-                                "enum": [
-                                    "completion",
-                                    "failure",
-                                    "success",
-                                    "unknown"
-                                ]
-                            }
-                        }
+		"next_event_refs": {
+		    "type": "array",
+		    "items": {
+                        "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
+                        "pattern": "^event--"
                     }
-                }
+		},
+		"unevaluatedProperties": false
             }
         }
-    }
-}
+    ]
+}

extension-definition-specifications/incident-ef7/examples/example_2.1.json

@@ -12,7 +12,7 @@
       "investigation_status": "open",
       "criticality": 70,
       "detection_methods": [
-        "automated-tool",
+        "automated-tools",
         "human-review"
       ],
       "event_refs": [

extension-definition-specifications/incident-ef7/extension-definition--ef765651-680c-498d-9894-99799f2fa126.json

@@ -51,18 +51,22 @@
                                         }
                                     }
                                 },
-                                "events": {
+                                "event_refs": {
                                     "type": "array",
                                     "minItems": 1,
                                     "items": {
-                                        "$ref": "#/definitions/Event_Sequence"
+                                        "type": "string",
+                                        "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
+                                        "pattern": "^event--"
                                     }
                                 },
-                                "tasks": {
+                                "task_refs": {
                                     "type": "array",
                                     "minItems": 1,
                                     "items": {
-                                        "$ref": "#/definitions/Task_Sequence"
+                                        "type": "string",
+                                        "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
+                                        "pattern": "^task--"
                                     }
                                 },
                                 "determination": {
@@ -134,118 +138,6 @@
         }
     ],
     "definitions": {
-        "Event_Sequence": {
-            "type": "object",
-            "additionalProperties": false,
-            "required": ["event_ref"],
-            "properties": {
-                "event_ref": {
-                    "type": "string",
-                    "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
-                    "pattern": "^event--",
-                    "description": "The event"
-                },
-                "sequence_start": {
-                    "type": "boolean",
-                    "description": "If this event is the start of a sequence.",
-                    "default": true
-                },
-                "next_steps": {
-                    "type": "array",
-                    "minItems": 1,
-                    "items": {
-                        "type": "object",
-                        "additionalProperties": false,
-                        "required": [
-                            "condition_type",
-                            "event_ref",
-                            "transition_type"
-                        ],
-                        "properties": {
-                            "condition_type": {
-                                "type": "string",
-                                "enum": [
-                                    "optional",
-                                    "required",
-                                    "unknown"
-                                ]
-                            },
-                            "event_ref": {
-                                "type": "string",
-                                "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
-                                "pattern": "^event--"
-                            },
-                            "transition_type": {
-                                "type": "string",
-                                "description": "What end-state causes the target to begin",
-                                "enum": [
-                                    "completion",
-                                    "failure",
-                                    "success",
-                                    "unknown"
-                                ]
-                            }
-                        }
-                    }
-                }
-            }
-        },
-        "Task_Sequence": {
-            "type": "object",
-            "additionalProperties": false,
-            "required": ["task_ref"],
-            "properties": {
-                "task_ref": {
-                    "type": "string",
-                    "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
-                    "pattern": "^task--",
-                    "description": "The event or task"
-                },
-                "sequence_start": {
-                    "type": "boolean",
-                    "description": "If this task is the start of a sequence.",
-                    "default": true
-                },
-                "next_steps": {
-                    "type": "array",
-                    "minItems": 1,
-                    "items": {
-                        "type": "object",
-                        "additionalProperties": false,
-                        "required": [
-                            "condition_type",
-                            "task_ref",
-                            "transition_type"
-                        ],
-                        "properties": {
-                            "condition_type": {
-                                "type": "string",
-                                "enum": [
-                                    "optional",
-                                    "required",
-                                    "unknown"
-                                ]
-                            },
-                            "task_ref": {
-                                "type": "string",
-                                "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json",
-                                "pattern": "^task--"
-                            },
-                            "transition_type": {
-                                "type": "string",
-                                "description": "What end-state causes the target to begin",
-                                "enum": [
-                                    "completion",
-                                    "failure",
-                                    "success",
-                                    "unknown"
-                                ]
-                            }
-                        }
-                    }
-                }
-            }
-        },
         "Recoverability": {
             "type": "string",
             "description": "The scope of impact required to recover from an incident",
@@ -256,7 +148,7 @@
                 "extended",
                 "not-recoverable"
             ],
-            "$comment": "This is a closed vocabulary: non-applicable is an addition to what is found on https://us-cert.cisa.gov/incident-notification-guidelines for Incident reports that do not have associated recover costs.  For example a phishing email that was detected successfully."
+            "$comment": "This is a closed vocabulary (enumeration): non-applicable is an addition to what is found on https://us-cert.cisa.gov/incident-notification-guidelines for Incident reports that do not have associated recover costs.  For example a phishing email that was detected successfully."
         }
     }
-}
+}

extension-definition-specifications/incident-ef7/tables/incident_relationship_summary.adoc

@@ -4,13 +4,17 @@
 ^|*Type* 
 ^|*Target* 
 
+|[stixtype]#<<event,event>>#
+|[stixrelationship]#causes#
+|[stixtype]#<<impact,impact>>#
+
 |[stixtype]#<<event,event>>#
 |[stixrelationship]#impacts#
 |[stixtype]#{infrastructure_url}[infrastructure]#
 
 |[stixtype]#<<event,event>>#
 |[stixrelationship]#led-to#
-|[stixtype]#<<event,event>>#
+|[stixtype]#<<task,task>>#
 
 |[stixtype]#<<event,event>>#
 |[stixrelationship]#located-at#
@@ -62,7 +66,7 @@
 
 |[stixtype]#{identity_url}[identity]#
 |[stixrelationship]#performed#
-|[stixtype]#<<task,task>>#
+|[stixtype]#<<task,task>>#, #<<event,event>>#,
 
 |[stixtype]#{incident_url}[incident]#
 |[stixrelationship]#attributed-to#