[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [EXT] Re: [cti-stix] Updated report proposal
1) I can go either way, not sure if I have a strong opinion on this. What would change my opinion is knowing will either of these objects grow or expand in the future. Right now they seem pretty close, but over time will they diverge? By grouping them in
to the same object do we prevent them from growing / expanding in the future as the growth in one area would negatively impact the growth in the other? If they are two objects then what happens when one needs to be converted in to the other? Is this more
problematic than the risks outlined above, or would a new object creation just be the logical step?
2) I have argued several times for content to be in its own property only to have this SC and RichThe say "that is what labels are for". I think we need to have clear guidance on when we use labels and when we use a special property for things that are
"labels of status".
3) The values in the list seem like they need some work, they feel a bit wishy-washy to me... If we do not have solid values that make a ton of sense, then maybe we have a field that just has 1 or 2 options. We can always add more later, assuming we figure
out why this is not just labels.
Bret
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org>
Sent: Tuesday, September 19, 2017 2:13:55 PM To: cti-stix@lists.oasis-open.org Subject: [EXT] Re: [cti-stix] Updated report proposal All, I wanted to re-up this since we just discussed it on the working call. The proposal is here:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.y3otj21tnvuj As a reminder, this topic is meant to address a need MISP brought up to share collections of threat intelligence (they call them “Events”) that are not at the level of a published report but need to be shared
as a cohesive set with some shared context (title, description, labels, etc.) We still have three open questions:
I think we’re VERY close to finally figuring this one out, so please let us know what you think. My opinions are:
Thanks! John
From: <cti-stix@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org> Sorry about that…somewhat ironically, after there were problems with finding all of the stuff we were working on, I moved it over to the Working Concepts doc later last week:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.y3otj21tnvuj John From: Sean Barnum <sean.barnum@FireEye.com> I don’t see any proposal in the linked doc. I would object to attempts to conflate these two objects together. I believe I have given clear reasoning for this position in the past. Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org> All, As I mentioned in an e-mail yesterday, based on the straw poll that we had on the August 29 working call (notes here:
https://www.oasis-open.org/committees/download.php/61462/OASIS-CTI-TC_WorkingSession_August29_2017.pdf) I put together a proposal to modify the report object to cover the concept of an evolving collection of content (i.e., the MISP use case). Proposal is here:
https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.n8bjzg1ysgdq
The changes are:
On the call most folks seemed to think that the best option was to modify the Report object, but we did have a couple open questions:
Thanks, John This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]