{
"namespace": "incident-disposition",
"description": "How an incident is classified in its process to be resolved. The taxonomy is inspired from NASA Incident Response and Management Handbook. https://www.nasa.gov/pdf/589502main_ITS-HBK-2810.09-02%20%5bNASA%20Information%20Security%20Incident%20Management%5d.pdf#page=9",
"version": 2,
"predicates": [
{
"value": "incident",
"expanded": "Incident"
},
{
"value": "not-an-incident",
"expanded": "Not an incident"
},
{
"value": "duplicate",
"expanded": "Duplicate"
}
],
"values": [
{
"predicate": "incident",
"entry": [
{
"value": "confirmed",
"expanded": "Confirmed",
"description": "The incident is confirmed and response is underway following incident response procedure of the organisation."
},
{
"value": "deferred",
"expanded": "Deferred",
"description": "The incident is deferred due to resource constraints, information type or external reasons."
},
{
"value": "unidentified",
"expanded": "Unidentified",
"description": "The incident is unidentified because some assets, ressources or context is missing to go a state which can be handled following the incident response response procedure."
},
{
"value": "transferred",
"expanded": "Transferred",
"description": "The incident is transferred to another organisations for further processing or incident handling."
},
{
"value": "discarded",
"expanded": "Discarded",
"description": "The incident is discarded due to resource constraints, information type or external reasons."
},
{
"value": "silently-discarded",
"expanded": "Silently discarded",
"description": "The incident is silently discarded due to resource constraints, information type or external reasons."
}
]
},
{
"predicate": "not-an-incident",
"entry": [
{
"value": "insufficient-data",
"expanded": "Insufficient data",
"description": "When insufficient data is available to explain an ambiguous (i.e., not definitively hostile or benign) indicator, the incident may be dispositioned as Insufficient Data."
},
{
"value": "faulty-indicator",
"expanded": "Faulty indicator",
"description": "A false positive where an investigation reveals that the source indicator used as the basis for incident detection was a Faulty Indicator."
},
{
"value": "misconfiguration",
"expanded": "Misconfiguration",
"description": "A false positive where an event that appeared to be malicious activity was subsequently disproven and determined to be a Misconfiguration (malfunction) of a system."
},
{
"value": "scan-probe",
"expanded": "Scan or Probe",
"description": "Reconnaissance activity which Scanned or Probed for the presence of a vulnerability which may be later exploited to gain unauthorized access."
},
{
"value": "failed",
"expanded": "Failed",
"description": "A Failed attempt to gain unauthorized access, conduct a denial of service, install malicious code, or misuse an IT resource, typically because a security control prevented it from succeeding."
},
{
"value": "refuted",
"expanded": "Refuted",
"description": "Any other circumstance where a suspected incident was determined to not be an incident and was Refuted."
}
]
},
{
"predicate": "duplicate",
"entry": [
{
"value": "duplicate",
"expanded": "Duplicate",
"description": "An incident may be a Duplicate of another record in the Incident Management System, and should be merged with the existing workflow."
}
]
}
]
}