[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Re: [EXT] [cti-stix] Small changes from 2.0 - 2.1 - dates on relationships - current consensus
To me, "valid_until" conveys what you express above.
To me, "end_time" that the relationship existed up to that time.
Get Outlook for iOS
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Sent: Tuesday, September 5, 2017 6:26:59 PM To: Sarah Kelley; cti-stix@lists.oasis-open.org Subject: [cti-stix] Re: [EXT] [cti-stix] Small changes from 2.0 - 2.1 - dates on relationships - current consensus It seems like having an end_time "suggests to me that somehow the relationship will expire after X hours/mins/days."
Bret
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org>
Sent: Tuesday, September 5, 2017 2:24:04 PM To: cti-stix@lists.oasis-open.org Subject: [EXT] [cti-stix] Small changes from 2.0 - 2.1 - dates on relationships - current consensus On today’s working call, we discussed the proposal to add timestamps to the relationship object in order to indicate when the tool/analyst thought the relationship was correct. We achieved consensus on several things.
Relationship Timestamp Field #1 This optional timestamp represents the earliest time at which the relationship between the objects exists. If the timestamp field #1 is a future timestamp, at the time of the updated field is defined, then this represents an estimate by the producer of the intelligence on the earliest time at which relationship will be asserted to be true. If not specified, then the earliest time at which the relationship between the objects exists is not defined. Relationship Timestamp Field #2 This optional timestamp represents the latest time at which the relationship between the objects exists. If the timestamp field #2 is a future timestamp, at the time of the updated field is defined, then this represents an estimate by the producer of the intelligence on the latest time at which relationship will be asserted to be true. If the timestamp field #2 is defined, then it MUST be later than the timestamp #1 value. If not specified, then the latest time at which the relationship between the objects exists is not defined.
Yes – 4 No – 10
So, current consensus is to use the above definitions (with minor wordsmithing), with the property names of “start_time” and “end_time”, and that it should be included in 2.1.
We’re sending this to the list to make sure everyone is aware of the discussion from the call and the current consensus, and to give everyone a chance to comment. If there are no objections, we will make these changes to the spec.
Thanks,
Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC) 31 Tech Valley Drive East Greenbush, NY 12061
518-266-3493 24x7 Security Operations Center SOC@cisecurity.org - 1-866-787-4722
. . . . . |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]