[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] CybOX Core Review
The reason you need both containers is so that you can build relationships inside the data itself.
As an example, you see an email message followed by a data exfiltration. These would be two instances of ObservedData, each with Cybox inside. However, inside the email ObservedData, you may want to have multiple objects, perhaps the Email Message and an Archive Object and a File object, with relations between them. These are not STIX relationship objects, they are Cybox relationships - relationships within the actual instance of observed data, not relationships between individual occurances of observed data. Cybox relationships are only valid within a given instance of cybox data (IE the Cybox container). They have no context outside that because they are simple facts.
The reason object IDs are not UUIDs is because they have no context outside the container so therefore they don't have to be universally unique. They are simple string IDs, so UUID can be used if one wants, but one is not mandated to do so - the thought was that this may make it easier for implementers to re-use their own internal IDs for these objects in many situations.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Terry MacDonald ---07/14/2016 05:54:11 PM---Hi Ivan, I have a few questions about the CybOX core document..
From: Terry MacDonald <terry.macdonald@cosive.com>
To: "Ivan A. Kirillov" <ikirillov@mitre.org>
Cc: cti-cybox@lists.oasis-open.org
Date: 07/14/2016 05:54 PM
Subject: Re: [cti-cybox] CybOX Core Review
Sent by: <cti-cybox@lists.oasis-open.org>
I have a few questions about the CybOX core document..
- I understand the idea of the CybOX container for housing multiple CybOX objects together, but how will this work with the STIX ObservedData (observation) object? For example will the ObservedData object contain a list of 3 objects, out will it contain a CybOX container that contains a dictionary of 3 objects? That seems to be another level of nesting that isn't necessarily needed.
- Can CybOX objects be used directly without a CybOX container? If they have simple incrementing integer IDs, then there will be a collision.
- Why are the objects a dictionary and not a list? As far as I can tell the object dictionary labels are just used as a local identifier, and this was just added to make relationships work. Making each object have an explicit uuid id, and changing the object dictionary to a list makes more sense to me. Plus I like having things explicitly stated.
- If the objects have an explicit uuid based is then that opens up the possibility of cross package relationships.
I understand that this object ID topic may have been thrashed to death in the past, but it does seem to create more nesting than seems to be needed.
Cheers
Terry MacDonald
Cosive
On 14/07/2016 07:50, "Kirillov, Ivan A." <ikirillov@mitre.org> wrote:
There have a been a number of changes, including:
· Updating datatypes to align with STIX and adding examples
· Merging in existing high-level Objects specification (extensions, etc.)
· Added examples wherever applicable
· Refactored CybOX Object ID specification/object references
Once we do another pass, we’ll put up the specification on a vote for approval for MVP, likely early next week.
Also, this will be the main topic of discussion during tomorrow’s 10:00am-11:00am EDT working session.
Regards,
Ivan
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]