Thanks for doing this very detailed change log. If we had something like this for the changes from STIX 2.0 to STIX 2.1, we could publish that as a committee note.
Bret
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <ikirillov@mitre.org>
Sent: Tuesday, August 27, 2019 3:00 PM
To: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
Subject: [EXT] [cti] Re: STIX 2.1 WD04 -> WD05 Changes
For those interested, the complete set of changes is below (we had missed a few things earlier):
Part 1: Master
-
Common property ‘spec_version’: implicit value is now 2.1 for all SCOs, still 2.0 for all other objects
-
SCO Common property renamed: is_defanged -> defanged
-
In 3.5 Object Creator, a MAY was changed to a MUST, which could be read to mean that
created_by_ref SHOULD be present on all objects that can have this property
-
Language Content
-
Object_modified now optional
Part 2: SDOs and SROs
-
Attack Pattern
-
Grouping
-
object_refs are now required
-
Indicator
-
New property: pattern_type
-
New property: pattern_version
-
New relationship: indicator based-on observed-data
-
name, description SHOULD be present
-
Infrastructure
-
Location
-
New property: name
-
Property renamed: code -> street_address
-
Malware
-
New relationship: malware originates-from location
-
Malware Analysis
-
One of av_result or analysis_sco_refs MUST be present
-
Property renamed: module -> modules
-
Property type changed: string -> list of type string
-
Property renamed: av_engine_version -> analysis_engine_version
-
Property renamed: av_definition_version -> analysis_definition_version
-
Property renamed: host_vm -> host_vm_ref
-
Property renamed: operating_system -> operating_system_ref
-
Property renamed: installed_software -> installed_software_refs
-
Observed Data
-
Property deprecated: objects
-
Removed a MUST requirement (that we couldn’t validate), so now observed data can contain SCOs not related to each other
-
Threat Actor
-
New property: first_seen
-
New property: last_seen
-
Tool
-
New relationship: tool has vulnerability
-
Vulnerability
-
Relationship removed:
vulnerability impacts infrastructure, tool
-
Sighting
-
New property: description
Part 3: SCOs
- Directory Object
- Property renamed: created -> ctime
- Property renamed: modified -> mtime
- Property renamed: accessed-> atime
- Domain Name Object
- Property deprecated: resolves_to_refs (was already optional in WD 04)
- New relationship: domain-name resolves-to domain-name
- New relationship: domain-name resolves-to ipv4-addr
- New relationship: domain-name resolves-to ipv6-addr
- File Object
- Property renamed: created -> ctime
- Property renamed: modified -> mtime
- Property renamed: accessed-> atime
- IPv4 Address Object (ipv4-addr)
- Property deprecated: resolves_to_refs (was already optional in WD 04)
- Property deprecated: belongs_to_refs (was already optional in WD 04)
- New relationship: ipv4-addr resolves-to mac-addr
- New relationship: ipv4-addr belongs-to autonomous-system
- IPv6 Address Object (ipv6-addr)
- Property deprecated: resolves_to_refs (was already optional in WD 04)
- Property deprecated: belongs_to_refs (was already optional in WD 04)
- New relationship: ipv6-addr resolves-to mac-addr
- New relationship: ipv6-addr belongs-to autonomous-system
- Windows Registry Key Object
- Property renamed: modified -> modified_time
- ID contributing properties: all items in values MUST be included)
Part 4: Vocabs
-
Implementation Language (implementation-language-ov)
-
New value: perl
-
New value: ruby
Part 5: Patterns
-
An Observation _expression_ MUST NOT have more than one Qualifier of a particular type
-
For ‘a REPEATS x TIMES’ a MUST match at least x times (changed from ‘exactly x times’)
-
Comparison expressions MUST evaluate to false if evaluated against one or more Object Paths that are not present or cannot be obtained
-
New set operator for Comparison Expressions: EXISTS
Regards,
Ivan
From: Ivan Kirillov <ikirillov@mitre.org>
Date: Monday, July 15, 2019 at 10:03 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: STIX 2.1 WD04 -> WD05 Changes
All,
One of our team members put together a list of changes between WD04 and WD05 for those interested:
Part 2: SDOs and SROs
- Attack Pattern
- Grouping
- object_refs are now required
- Indicator
- New property:
pattern_type
- New property:
pattern_version
- New relationship:
indicator based-on observed-data
- Infrastructure
- Location
- New property:
name
- Property renamed:
code -> street_address
- Malware
- New relationship:
malware originates-from location
- Malware Analysis
- Property renamed:
module -> modules
- Property type changed:
string -> list of type string
- Property renamed:
av_engine_version -> analysis_engine_version
- Property renamed:
av_definition_version -> analysis_definition_version
- Property renamed:
host_vm -> host_vm_ref
- Property renamed:
operating_system -> operating_system_ref
- Property renamed:
installed_software -> installed_software_refs
- Threat Actor
- New property:
first_seen
- New property:
last_seen
- Tool
- New relationship:
tool has vulnerability
- Vulnerability
- Relationship removed:
vulnerability impacts infrastructure, tool
- Sighting
- New property: description
Part 4: Vocabs
- Implementation Language (implementation-language-ov)
- New value: perl
- New value: ruby
Regards,
Ivan
|