[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Updated report proposal
All, I wanted to re-up this since we just discussed it on the working call. The proposal is here:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.y3otj21tnvuj As a reminder, this topic is meant to address a need MISP brought up to share collections of threat intelligence (they call them “Events”) that are not at the level of a published report but need to be shared
as a cohesive set with some shared context (title, description, labels, etc.) We still have three open questions:
I think we’re VERY close to finally figuring this one out, so please let us know what you think. My opinions are:
Thanks! John
From: <cti-stix@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org> Sorry about that…somewhat ironically, after there were problems with finding all of the stuff we were working on, I moved it over to the Working Concepts doc later last week:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.y3otj21tnvuj John From: Sean Barnum <sean.barnum@FireEye.com> I don’t see any proposal in the linked doc. I would object to attempts to conflate these two objects together. I believe I have given clear reasoning for this position in the past. Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org> All, As I mentioned in an e-mail yesterday, based on the straw poll that we had on the August 29 working call (notes here:
https://www.oasis-open.org/committees/download.php/61462/OASIS-CTI-TC_WorkingSession_August29_2017.pdf) I put together a proposal to modify the report object to cover the concept of an evolving collection of content (i.e., the MISP use case). Proposal is here:
https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.n8bjzg1ysgdq
The changes are:
On the call most folks seemed to think that the best option was to modify the Report object, but we did have a couple open questions:
Thanks, John This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]