Re: [cti-cybox] Should CyboX events, actions and type enumerations live within the object that uses them?

["Kirillov, Ivan A." <ikirillov@mitre.org>]

As Jerome mentioned, I think this would be difficult to do from a data modeling perspective, because many of the Actions and vocabularies are applicable to multiple Objects. However, I think this could be great to have in an API - imagine if, say, an Action had knowledge of the Objects that could be used in it:

action = cybox.actions.create_file
action.applicable_objects = [“file”, “unix_file”, “windows_file”, “windows_executable_file”]

Regards,
Ivan




On 11/7/15, 4:00 PM, "cti-cybox@lists.oasis-open.org on behalf of John Anderson" <cti-cybox@lists.oasis-open.org on behalf of janderson@soltra.com> wrote:

>It would help me to see your idea expressed in Python, Terry. How would this make coding more joyful?
>JSA
>
>________________________________________
>From: cti-cybox@lists.oasis-open.org <cti-cybox@lists.oasis-open.org> on behalf of Jerome Athias <athiasjerome@gmail.com>
>Sent: Saturday, November 7, 2015 1:38 AM
>To: Terry MacDonald
>Cc: cti-cybox@lists.oasis-open.org
>Subject: Re: [cti-cybox] Should CyboX events, actions and type enumerations live within the object that uses them?
>
>Yo
>(Yes and No)
>
>No, because some Vocabularies enumerations are applicable/usable in
>many places, or for many objects.
>(Think reuse and maintenance)
>e.g. https://cyboxproject.github.io/documentation/object-relationships/
>Many Actions could be triggered by different Actors (User, file,
>Process, Thread, ...)
>
>Yes (maybe, potentially) for some objects (to make implementation
>simpler), we could agree on that, for -some- objects. (ref.
>enumeration of hashes type)
>
>
>
>
>2015-11-07 3:31 GMT+04:00 Terry MacDonald <terry@soltra.com>:
>> Hi All,
>>
>>
>>
>> This might be unworkable, but I thought I’d throw it out there anyway.
>>
>>
>>
>> I just was reading through the list of EventTypeEnum-1.0.1 here, and I
>> thought to myself, as these objects are generally ‘derived from’ and related
>> to each other in a tree like structure, it could make sense to actually
>> house the enumerations relating to an object specifically with the object
>> itself. That would then allow us to make sure that the enumerations
>> available to use for each Observable Object are the relevant events,
>> actions, etc for that particular object – all information that pertains to
>> the object in one place.. within the object itself.
>>
>>
>>
>> Should CyboX events, actions and type enumerations live within the object
>> they refer to? Is that even a workable idea?
>>
>>
>>
>> To be absolutely clear, I’ve not worked through the ramifications of doing
>> so, but wanted to source other’s opinions on the idea. Plus its late on
>> Friday – weird ideas are supposed to happen late on Fridays J.
>>
>>
>>
>> Cheers
>>
>>
>>
>> Terry MacDonald
>>
>> Senior STIX Subject Matter Expert
>>
>> SOLTRA | An FS-ISAC and DTCC Company
>>
>> +61 (407) 203 206 | terry@soltra.com
>>
>>
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
>https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that 
>generates this mail.  Follow this link to all your TCs in OASIS at:
>https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>