[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: STIX 2.0 - Sightings object
Great discussion topic! There has been some previous discussion on the STIX Schemas GitHub on this topic: https://github.com/STIXProject/schemas/issues/291 The conversation seemed (to me) to settle on the idea that there were three concepts that are related in some way: 1.
Relationships – A link between objects (e.g., this TTP is related to that Indicator) 2.
Assertions – The +1/-1 concept 3.
Sightings – “I saw that, too!” It seems that the structures are similar across the three concepts (e.g., id, from, to, assertion, source/confidence/rationale) and that the larger open question
is whether humans are benefitted by these things being variations of the same concept or three different concepts (or something else). I personally think there is a single set of common properties that can do Relationships, Assertions, and Sightings, and that it looks roughly like what Aharon
posted. However, there was a counter-point that this combining of concepts makes it more difficult to understand. I’ll leave the group with these questions: 1.
Is there a single set of properties that makes sense for Relationships, Assertions, and Sightings? 2.
If there is a single set of properties, does it make sense to combine them, as Aharon has mentioned? 3.
What clarifying questions, if any, do you have that will help you answer #1 or #2?
a.
Note that this might be the most important of the three questions! Thank you. - Mark From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Aharon Chernin This should be "sightings object rethought". While coming up with a proposal, I spotted a different way of thinking about Sightings. In my opinion, the most
important thing is determining which STIX object is being sighted. However, there is some other bits of information that is useful: sightings producer and date/time of sighting. Now take a look at the recent relationship object discussions: Relationship Object Discussion: ID [1]: The ID of the relationship,
a simple random GUID Marking[1]: The ID of
the marking object that you should reference Timestamp [1]: A timestamp
in UTC stating when the relationship object was created. Idea: Could a sighting be a type of Relationship? Relationship Object Discussion: ID [1]: <GUID> Marking[1]: TLP Green Timestamp [1]: <timestamp> Or is there more meta data we need to collect regarding sightings that a sighting deserves it's own object? Aharon Chernin SOLTRA
| An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 |
achernin@soltra.com |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]