first draft

oasis-open · Oct 16, 2024 · 4fb4869 · 4fb4869
1 parent 16d5bd9
commit 4fb4869
Showing 1 changed file with 15 additions and 5 deletions.
diff --git a/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc b/extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc
@@ -573,8 +573,9 @@ As a new SDO extension it must follow the requirements as described in section 7
 
 |*impact_category* (required)
 |[stixtype]#{string_url}[string]#
-|The category to which the impact belongs.
-This *MUST* match an extension that provides greater details of a specific type of impact, and *SHOULD* come from the extensions listed in section 2.3.2 of this document.  The value can be specified with or without the "-ext" suffix.
+|The category to which the impact belongs. This *MUST* be either [stixliteral]#undetermined# or match an extension that provides greater details of a specific type of impact, and *SHOULD* come from the extensions listed in section 2.3.2 of this document.
+
+The value can be specified with or without the "-ext" suffix. If this property is set to [stixliteral]#undetermined# then there *MUST* not be an "-ext" extension providing further details for this impact.
 
 |*type* (required)
 |[stixtype]#{string_url}[string]#
@@ -1013,12 +1014,12 @@ As a new SDO extension it must follow the requirements as described in section 7
 ^|[stixtr]*Task Object Specific Properties*
 
 |*task_types*,
+*affected_entity_counts*,
 *changed_objects*,
 *description*,
 *end_time*,
 *end_time_fidelity*,
 *error*,
-*impact_entity_counts*,
 *name*,
 *next_tasks_refs*
 *outcome*,
@@ -1073,9 +1074,9 @@ If no value is provided the timestamp should be considered to be accurate up to
 |[stixtype]#{string_url}[string]#
 |Details about any failures or deviations that occurred in the task.
 
-|*impacted_entity_counts* (optional)
+|*affected_entity_counts* (optional)
 |[stixtype]#<<entity-count,entity-count>>#
-|A listing of the entity types that were impacted and how many of each were affected.
+|A listing of the entity types and how many of each that were affected.
 
 This is primarily used when recording victim notifications.
 
@@ -2186,6 +2187,9 @@ This option should be used to affirmatively supply this information when necessa
 
 |[stixliteral]#suspected-loss#
 |It is suspected but not confirmed that the attacker may have gained access to this information.
+
+|[stixliteral]#unknown#
+|It is unknown if the attacker may have gained access to this information.
 |===
 
 <<<
@@ -2251,6 +2255,9 @@ This should not be used when an incident was flagged correctly, but is of no imp
 
 |[stixliteral]#none#
 |There is no evidence of destruction or modification of this data type in the system.
+
+|[stixliteral]#none#
+|It is known if destruction or modification of this data type in the system has occurred.
 |===
 
 [[physical-impact-enum]]
@@ -2391,6 +2398,9 @@ Hours and minutes should be understood to establish the timezone for the activit
 
 |[stixliteral]#provable-accountability#
 |Accountability can be ensured from the traces that are present.
+
+[stixliteral]#unknown-accountability#
+|Accountability is unknown.
 |===
 
 <<<