102 lines
4.0 KiB
JSON
102 lines
4.0 KiB
JSON
{
|
|
"namespace": "incident-disposition",
|
|
"description": "How an incident is classified in its process to be resolved. The taxonomy is inspired from NASA Incident Response and Management Handbook. https://www.nasa.gov/pdf/589502main_ITS-HBK-2810.09-02%20%5bNASA%20Information%20Security%20Incident%20Management%5d.pdf#page=9",
|
|
"version": 2,
|
|
"predicates": [
|
|
{
|
|
"value": "incident",
|
|
"expanded": "Incident"
|
|
},
|
|
{
|
|
"value": "not-an-incident",
|
|
"expanded": "Not an incident"
|
|
},
|
|
{
|
|
"value": "duplicate",
|
|
"expanded": "Duplicate"
|
|
}
|
|
],
|
|
"values": [
|
|
{
|
|
"predicate": "incident",
|
|
"entry": [
|
|
{
|
|
"value": "confirmed",
|
|
"expanded": "Confirmed",
|
|
"description": "The incident is confirmed and response is underway following incident response procedure of the organisation."
|
|
},
|
|
{
|
|
"value": "deferred",
|
|
"expanded": "Deferred",
|
|
"description": "The incident is deferred due to resource constraints, information type or external reasons."
|
|
},
|
|
{
|
|
"value": "unidentified",
|
|
"expanded": "Unidentified",
|
|
"description": "The incident is unidentified because some assets, ressources or context is missing to go a state which can be handled following the incident response response procedure."
|
|
},
|
|
{
|
|
"value": "transferred",
|
|
"expanded": "Transferred",
|
|
"description": "The incident is transferred to another organisations for further processing or incident handling."
|
|
},
|
|
{
|
|
"value": "discarded",
|
|
"expanded": "Discarded",
|
|
"description": "The incident is discarded due to resource constraints, information type or external reasons."
|
|
},
|
|
{
|
|
"value": "silently-discarded",
|
|
"expanded": "Silently discarded",
|
|
"description": "The incident is silently discarded due to resource constraints, information type or external reasons."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "not-an-incident",
|
|
"entry": [
|
|
{
|
|
"value": "insufficient-data",
|
|
"expanded": "Insufficient data",
|
|
"description": "When insufficient data is available to explain an ambiguous (i.e., not definitively hostile or benign) indicator, the incident may be dispositioned as Insufficient Data."
|
|
},
|
|
{
|
|
"value": "faulty-indicator",
|
|
"expanded": "Faulty indicator",
|
|
"description": "A false positive where an investigation reveals that the source indicator used as the basis for incident detection was a Faulty Indicator."
|
|
},
|
|
{
|
|
"value": "misconfiguration",
|
|
"expanded": "Misconfiguration",
|
|
"description": "A false positive where an event that appeared to be malicious activity was subsequently disproven and determined to be a Misconfiguration (malfunction) of a system."
|
|
},
|
|
{
|
|
"value": "scan-probe",
|
|
"expanded": "Scan or Probe",
|
|
"description": "Reconnaissance activity which Scanned or Probed for the presence of a vulnerability which may be later exploited to gain unauthorized access."
|
|
},
|
|
{
|
|
"value": "failed",
|
|
"expanded": "Failed",
|
|
"description": "A Failed attempt to gain unauthorized access, conduct a denial of service, install malicious code, or misuse an IT resource, typically because a security control prevented it from succeeding."
|
|
},
|
|
{
|
|
"value": "refuted",
|
|
"expanded": "Refuted",
|
|
"description": "Any other circumstance where a suspected incident was determined to not be an incident and was Refuted."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "duplicate",
|
|
"entry": [
|
|
{
|
|
"value": "duplicate",
|
|
"expanded": "Duplicate",
|
|
"description": "An incident may be a Duplicate of another record in the Incident Management System, and should be merged with the existing workflow."
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|