[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Further STIX changes
|
All, I wanted to discuss a few changes we made to the STIX drafts on the call today or in separate conversations. None are major, but they’re things the TC should know about and weigh in on. I also have a couple
open questions: 1.
We removed a direct reference to MAEC and instead made that field behave more like Indicator pattern (but without a default). It has a “structured_behavior” field and a “structured_lang” field to
capture what language the structuring is in. The argument for this approach was that because MAEC is not in the OASIS TC we should not preference it above other languages (in particular, because it isn’t done yet). 2.
There will be further discussion of Observed Data and Sighting. We’ll put together a use cases document that describes how they should be used in support of different scenarios, and when the different
properties should be used. That may take a couple days. 3.
There will be further discussion of Threat Actor, Campaign, and Intrusion Set…seems to be not a lot of consensus on what to do there, and certainly not a lot of understanding among the TC on what
each one means. There will be a separate call where some experts will try to find better definitions or approaches for capturing that data. Please keep up the good work reviewing the documents, and thanks for the work you’ve done so far! I know this can be a somewhat thankless and difficult thing to work on, but in the end I’m confident we’ll
end up with something that’s worth all of this effort. John |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]