[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Relationship Timestamp Properties: proposed description for the 2 timestamp parameters
I have a few issues with the way they are defined here. I believe that some people reading “the first time that the relationship between the objects was determined to have occurred” will interpret it to mean what was determined to be the initial time that the relationship is true while others
might read it as the time that a determination of the beginning of the time window occurred. These are significantly different things. It is even more unclear in “the last time that this relationship between the objects was determined to connect those 2 objects”. I would also take issue with the use of “the first time” and “the last time” in the definitions as they imply discrete time events when in reality these fields on a relationship represent the bounds of a continuous time region. I would suggest that more continuous terminology be used such as “earliest time” and “latest time”. I believe the term “occurred” is also somewhat troublesome. First it implies that a relationship is something that happens (as in an action) rather than an assertion on a state of being. I would assert Relationship objects are the former
and not the latter. Second, it implies that it is past tense which while the common case is certainly not always the case. The second sentence of the Field #1 definition looks fine. I think the third sentence of the Field #1 definition could be better worded. I think what an absence of a starting time stamp for the window really says is that there is no beginning bound to the window. If you specify an end time but
no start time then you are saying any time before the end time. If you specify a start time and no end time then you are saying any time from the start time onward. The second sentence of the Field #2 definition has an issue in its use of “no longer exist”. This wording implies that the producer is making an explicit assertion that the relationship will not be true after the end time. I would suggest
that in common practice these sorts of time windows on relationships are intended to convey that the relationship will be true at least until the end time. There is typically not enough evidence to make a hard assertion that it does not hold true after a given
time as proving a negative is very difficult. The third sentence of the Field #2 definition is good. I am sure that it sounds like I am being very picky. I am just concerned that ambiguity in these definitions is very likely to lead to confusion and inconsistent use. One of my main concerns here, as I have said before, is that we avoid any confusion that the timestamps might convey when an observation occurred or when a decision occurred on the beginning of the time window rather than the window itself. This might seem like splitting hairs but based on the active debates over first/last_seen, I think that this is a valid concern. As the comments above show, I am also concerned with making it very clear what we mean when using these fields to bound the time window associated with the assertion of a Relationship. So, to avoid being the guy who complains but offers no alternatives, here would be my suggested improvements:
I believe this more clearly and accurately conveys the meaning of these fields and uses consistent terminology and structure across the sentences and across the two field definitions which should help reduce potential confusion. Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com From: <cti-stix@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com> Hi – I had taken an action item to propose the descriptions for 2 relationship timestamp properties. Please review below and suggest changes or acknowledge that these descriptions would be acceptable. To avoid folks focusing on the name of the property I’ve chosen to just call them Relationship Timestamp Field #1 and #2.
Regards Allan |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]