OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Moving forward with first_seen and last_seen

I think so.

Also I would suggest to make it clear that for folks that voted on 1 that the field will be optional so if you don’t care to support it in your products/implementations then you don’t have to.


From: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Wednesday, November 30, 2016 at 2:02 PM
To: Allan Thomson <athomson@lookingglasscyber.com>, "Mr. Stefan Hagen" <stefan@hagen.link>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen

So if we zero out all the 1 -> 2 with the 4 -> 2 people, that leaves us with "2" as the preferred option?


From: Allan Thomson <athomson@lookingglasscyber.com>
Sent: Wednesday, November 30, 2016 2:56:11 PM
To: Bret Jordan (CS); Mr. Stefan Hagen; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen

4 -> 2 -> 3 -> 1



From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Wednesday, November 30, 2016 at 1:34 PM
To: "Mr. Stefan Hagen" <stefan@hagen.link>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen

My preference would be 1, 2.  IMHO 3 is bad and 4 is just confusing.


From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Mr. Stefan Hagen <stefan@hagen.link>
Sent: Wednesday, November 30, 2016 2:17:08 PM
To: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen

My preference chain is (like Sarah's): 1, 4, 2, 3 of:

1.      Keep first_seen as a summary field, but do not add last_seen (status quo)

2.      Add last_seen as a summary field with the above description or something similar (Allan’s proposal).

3.      Do not add last_seen and remove first_seen, relying entirely on sightings.

4.      Rename first_seen to first_active and add last_active (tentative names). This would help clarify that what you’re saying is what you – as the producer – think the lifetime of the campaign has been (aggregated from sightings and other data you might have, e.g. possibly ignoring sightings from producers you don’t trust)

All the best,

<<attachment: winmail.dat>>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]