changes for entity-count

Author: rpiazza

extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc

@@ -1040,7 +1040,7 @@ The value of this property *MUST* come from the [stixtype]#<<task-outcome-enum,t
 |The value of this property *MUST* be set to [stixliteral]#task#.
 
 |*affected_entity_counts* (optional)
-|[stixtype]#<<entity-count,entity-count>>#
+|[stixtype]#{list_url}[list]# of type [stixtype]#<<entity-count,entity-count>>#
 |A list of affected entity types, along with the number of each type affected.
 
 This property is used primarily to capture victim notification information.

extension-definition-specifications/incident-ef7/examples/example_2.1.json

@@ -25,11 +25,6 @@
       "impact_refs": [
         "impact--7a5806e4-0f37-4c48-9a50-7301bff4b195"
       ],
-      "impacted_entity_counts": {
-        "individual": 100,
-        "employee": 70,
-        "customer-individual": 30
-      },
       "incident_types": [
         "hosting-phishing-sites"
       ],

extension-definition-specifications/incident-ef7/examples/example_2.3.2.1.1.json

@@ -9,9 +9,12 @@
     "description": "Loss of availability for a critical service.",
     "end_time": "2023-11-22T16:00:00Z",
     "end_time_fidelity": "minute",
-    "impacted_entity_counts": {
-        "system": 1
-    },
+    "impacted_entity_counts": [
+	{
+            "entity_name": "system",
+	    "count": 1
+	}
+    ]
     "impacted_refs": [
         "infrastructure--11c25d0e-48f5-4491-960a-0da71c4e0d16"
     ],

extension-definition-specifications/incident-ef7/examples/incident_expo_1.json

@@ -114,13 +114,7 @@
                     "investigation_status": "open",
                     "criticality": 90,
                     "detection_methods": ["system-outage"],
-                    "impacted_entity_counts": {
-                        "computers-mobile": 2000,
-                        "computers-personal": 1000,
-                        "computers-server": 232,
-                        "domain-controller": 7,
-                        "network-device": 3252
-                    },
+                    
                     "incident_types": [
                         "denial-of-service",
                         "unattributed"
@@ -172,6 +166,30 @@
             "object_marking_refs": ["marking-definition--43b7719e-52a7-47d4-ba05-cddbd59d961f"],
             "description": "After bypass mode all servers still shutdown, but wireless and displays are now up in a limited capacity.",
             "impact_category": "availability",
+	    "impacted_entity_counts": [
+			{
+  "entity_type": "computers-mobile",
+  "count": 2000,
+  "precise_within": 100
+},
+			{
+			    "entity_type": "computers-personal",
+			    "count": 1000,
+			    "precise_within": 100
+			},
+			{
+			    "entity_type": "computers-server",
+			    "count": 232
+			},
+			{
+			    "entity_type": "domain-controller",
+			    "count": 7
+			},
+			{
+			    "entity_type": "network-device",
+			    "count": 3252
+			}
+		    ],
             "start_time": "2022-09-14T17:00:00.000Z",
             "start_time_fidelity": "hour",
             "extensions": {

extension-definition-specifications/incident-ef7/examples/incident_expo_2.json

@@ -136,13 +136,6 @@
                     "investigation_status": "open",
                     "criticality": 90,
                     "detection_methods": ["system-outage"],
-                    "impacted_entity_counts": {
-                        "computers-mobile": 2000,
-                        "computers-personal": 1000,
-                        "computers-server": 232,
-                        "domain-controller": 7,
-                        "network-device": 3252
-                    },
                     "incident_types": [
                         "denial-of-service",
                         "unknown-apt"
@@ -240,6 +233,30 @@
             "object_marking_refs": ["marking-definition--43b7719e-52a7-47d4-ba05-cddbd59d961f"],
             "description": "After bypass mode all servers still shutdown, but wireless and displays are now up in a limited capacity.",
             "impact_category": "availability",
+	    "impacted_entity_counts": [
+		{
+                    "entity_type": "computers-mobile",
+		    "count": 2000,
+		    "precise_within": 100
+		},
+		{
+                    "entity_type": "computers-personal",
+		    "count": 1000,
+		    "precise_within": 100
+		},
+		{
+                    "entity_type": "computers-server",
+		    "count":
+		},
+		{
+                    "entity_type": "domain-controller",
+		    "count": 7,
+		},
+		{
+                    "entity_type": "network-device",
+		    "count": 3252
+		}
+            ],
             "start_time": "2022-09-14T17:00:00.000Z",
             "start_time_fidelity": "hour",
             "end_time": "2022-09-15T10:00:00.000Z",

extension-definition-specifications/incident-ef7/examples/incident_expo_3.json

@@ -158,13 +158,6 @@
                     "investigation_status": "open",
                     "criticality": 90,
                     "detection_methods": ["system-outage"],
-                    "impacted_entity_counts": {
-                        "computers-mobile": 2000,
-                        "computers-personal": 1000,
-                        "computers-server": 232,
-                        "domain-controller": 7,
-                        "network-device": 3252
-                    },
                     "incident_types": [
                         "denial-of-service"
                     ],
@@ -246,6 +239,30 @@
             "object_marking_refs": ["marking-definition--43b7719e-52a7-47d4-ba05-cddbd59d961f"],
             "description": "All servers shutdown,wireless tied to these went down,all displays went down.",
             "impact_category": "availability",
+	    "impacted_entity_counts": [
+		{
+                    "entity_type": "computers-mobile",
+		    "count": 2000,
+		    "precise_within": 100
+		},
+		{
+                    "entity_type": "computers-personal",
+		    "count": 1000,
+		    "precise_within": 100
+		},
+		{
+                    "entity_type": "computers-server",
+		    "count": 232
+		},
+		{
+                    "entity_type": "domain-controller",
+		    "count": 7
+		},
+		{
+                    "entity_type": "network-device",
+		    "count": 3252
+		}
+            ],
             "start_time": "2022-09-14T14:57:00.000Z",
             "start_time_fidelity": "minute",
             "end_time": "2022-09-14T17:00:00.000Z",

extension-definition-specifications/incident-ef7/examples/incident_expo_4.json

@@ -181,13 +181,6 @@
                     "investigation_status": "open",
                     "criticality": 90,
                     "detection_methods": ["system-outage"],
-                    "impacted_entity_counts": {
-                        "computers-mobile": 2000,
-                        "computers-personal": 1000,
-                        "computers-server": 232,
-                        "domain-controller": 7,
-                        "network-device": 3252
-                    },
                     "incident_types": [
                         "denial-of-service",
                         "data-exfiltration"
@@ -294,6 +287,13 @@
             "object_marking_refs": ["marking-definition--43b7719e-52a7-47d4-ba05-cddbd59d961f"],
             "description": "After bypass mode all servers still shutdown, but wireless and displays are now up in a limited capacity.",
             "impact_category": "availability",
+	    "impacted_entity_counts": {
+                "computers-mobile": 2000,
+                "computers-personal": 1000,
+                "computers-server": 232,
+                "domain-controller": 7,
+                "network-device": 3252
+            },
             "start_time": "2022-09-14T17:00:00.000Z",
             "start_time_fidelity": "hour",
             "end_time": "2022-09-15T10:00:00.000Z",

extension-definition-specifications/incident-ef7/examples/incident_pii_report.json

@@ -38,10 +38,7 @@
                         "impact--29d33f9d-a1a4-4d08-a48c-01a8f076331b",
                         "impact--bb4e161d-3053-46e4-8496-3a00c3830037",
                         "impact--a17c0f80-0d75-4f6a-863f-0097ec07fc84"
-                    ],
-                    "impacted_entity_counts": {
-                        "individual": 123456
-                    }
+                    ]
                 }
             }
         },
@@ -52,6 +49,12 @@
             "modified": "2020-10-17T01:01:01.000Z",
             "spec_version": "2.1",
             "impact_category": "confidentiality",
+	    "impacted_entity_counts": [
+		{
+                    "entity_type": "individual",
+		    "count": 123456
+		}
+            ],
             "extensions": {
                 "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
                     "extension_type": "new-sdo"

extension-definition-specifications/incident-ef7/extension-definition--ef765651-680c-498d-9894-99799f2fa126.json

@@ -121,14 +121,7 @@
                                     "$ref": "#/definitions/Recoverability"
                                 },        
                                 "impacted_entity_counts": {
-                                    "description": "A dictionary of entities that were impacted by the incident where the key is the entity type and the value is the number of entities of that type which were impacted.  In most cases these should be understood to be estiamtes.",
-                                    "patternProperties": {
-                                        "^[a-z\\-]+": {
-                                            "type": "integer",
-                                            "description": "Key names MUST be lower case and separated by dashes.  Common values include 'individuals', 'organizations', 'business-units', 'facilities', 'information-systems'",
-                                            "minimum": 0
-                                        }
-                                    }
+                                    "$ref": "#/definitions/entity_count"
                                 }
                             }
                         }
@@ -138,6 +131,29 @@
         }
     ],
     "definitions": {
+	"entity_count": {
+	    "type": "object",
+	    "description": "The Entity Count type represents the count of an entity type.",
+	    "properties": {
+		"entity_type": {
+		    "type": "string",
+		    "description": "The type of entity. The value of the entity type should come from entity-type-ov open vocabulary."
+		},
+		"count": {
+		    "type": "integer",
+		    "description": "The number of instances of the entity type.",
+		    "minimum": 0
+		},
+		"precise_within": {
+		    "type": "integer",
+		    "description": "The order of magnitude of the approximate count. If this property is not provided, the count should be considered the accurate count."
+		}
+	    },
+	    "required": [
+		"entity_type",
+		"count"
+	    ]
+	},
         "Recoverability": {
             "type": "string",
             "description": "The scope of impact required to recover from an incident",

extension-definition-specifications/incident-ef7/impact/examples/pii_loss.json

@@ -9,9 +9,12 @@
             "created": "2023-04-07T20:00:00.0002Z",
             "modified": "2023-04-07T20:00:00.0002Z",
             "spec_version": "2.1",
-            "impacted_entity_counts": {
-                "individual": 123456
-            },
+            "impacted_entity_counts": [
+		{
+                    "entity_type": "individual",
+		    "count": 123456
+		}
+            ],
             "extensions": {
                 "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
                     "extension_type": "new-sdo"