Re: [cti-stix] external-references keywords

["Wunder, John A." <jwunder@mitre.org>]

It does have some overlap, in the sense that you can pass a URL, but the primary purpose of the artifact object seems to be actually providing the content (either as a URL to download it from or as an encoded payload) while this type seems mostly about referencing other content (I would not expect a tool consuming these references to automatically download the content at the URL). So they seem differentiated enough to me to not worry about it...

 

John

 

From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Tuesday, May 31, 2016 at 2:02 PM
To: Rich Piazza <rpiazza@mitre.org>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] external-references keywords

 

FWIW, external_reference seems to have a lot of overlap with the Cybox Artifact object ( see

https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.3py86bmi9w34 )

Could there be some unification here?

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Piazza, Rich" ---05/31/2016 02:44:29 PM---Hi everyone, I think these four keywords would cover all of the external reference details. I've in

From: "Piazza, Rich" <rpiazza@mitre.org>
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 05/31/2016 02:44 PM
Subject: [cti-stix] external-references keywords
Sent by: <cti-stix@lists.oasis-open.org>

---

Hi everyone,

I think these four keywords would cover all of the external reference details. I’ve including some examples below. Can anyone think of some external reference that couldn’t be specified using these keywords?

Rich



external_references: array of {
description : string
external_id: string
source: ov?
url: url
}

Any combination is legal

Examples:

CAPEC:

[ { “source”: “capec”, “external_id”: “capec-550” } ]

CAPEC with URL

[ { “source”: “capec”, “external_id”: “capec-550”, “url”: “http://capec.mitre.org/data/definitions/550.html”} ]

APT1:

[{ “description”: “APT1 report”, “url”: “http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf”}]

VERIS:

[{“source”: “veris”, “external_id”: “00C84D6A-CDB8-4A5B-A1A6-0D75A65274D7”}]

Jira:

[{“source”: “jira”, “external_id”: “TAB-1370”, “url”: “https://issues.oasis-open.org/browse/TAB-1370”}]