cti-stix message

Subject: Re: [cti-stix] Top-level Sighting Object from last meeting

From: Trey Darley <trey@soltra.com>
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Fri, 30 Oct 2015 10:15:25 +0100

On 29.10.2015 11:48:16, Jason Keirstead wrote:
> - Now you have another problem, for how long do you report these
> "negative assertions"? Forever? Indicators do not have a life-span
> attribute.
> 

Indicators *should* have some type of lifespan attribute. This is one
of the things I really like in OpenTPX. Cf. `score_24hr_decay_i`, page
16 in the OpenTPX Introduction [0]. Should be its own thread, but
let's take inspiration from OpenTPX and add a decay mechanism to
Indicators and (arguably) Observables.

[0]: https://www.opentpx.org/docs/openTPX-introduction.pdf

-- 
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"Every networking problem always takes longer to solve than it seems
like it should." --RFC 1925

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- RE: [cti-stix] Top-level Sighting Object from last meeting
  - From: Terry MacDonald <terry@soltra.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: Jerome Athias <athiasjerome@gmail.com>

References:
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: "Jordan, Bret" <bret.jordan@bluecoat.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: Joep Gommers <joep@eclecticiq.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: "Jordan, Bret" <bret.jordan@bluecoat.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: Joep Gommers <joep@eclecticiq.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>