[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: STIX 2.0 - Sightings object
|
Given this, it sounds like Sightings might be a FK to an Indicator with an additional PK of a timestamp? Is that the case?
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Davidson II, Mark S Great discussion topic! There has been some previous discussion on the STIX Schemas GitHub on this topic:
https://github.com/STIXProject/schemas/issues/291 The conversation seemed (to me) to settle on the idea that there were three concepts that are related in some way: 1.
Relationships – A link between objects (e.g., this TTP is related to that Indicator) 2.
Assertions – The +1/-1 concept 3.
Sightings – “I saw that, too!” It seems that the structures are similar across the three concepts (e.g., id, from, to, assertion, source/confidence/rationale) and that the larger open question
is whether humans are benefitted by these things being variations of the same concept or three different concepts (or something else). I personally think there is a single set of common properties that can do Relationships, Assertions, and Sightings, and that it looks roughly like what Aharon
posted. However, there was a counter-point that this combining of concepts makes it more difficult to understand. I’ll leave the group with these questions: 1.
Is there a single set of properties that makes sense for Relationships, Assertions, and Sightings? 2.
If there is a single set of properties, does it make sense to combine them, as Aharon has mentioned? 3.
What clarifying questions, if any, do you have that will help you answer #1 or #2? a.
Note that this might be the most important of the three questions! Thank you. - Mark From:
cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Aharon Chernin This should be "sightings object rethought". While coming up with a proposal, I spotted a different way of thinking about Sightings. In my opinion, the
most important thing is determining which STIX object is being sighted. However, there is some other bits of information that is useful: sightings producer and date/time of sighting. Now take a look at the recent relationship object discussions: Relationship Object Discussion: ID [1]: The ID of
the relationship, a simple random GUID Marking[1]: The ID
of the marking object that you should reference Timestamp [1]: A timestamp
in UTC stating when the relationship object was created. Idea: Could a sighting be a type of Relationship? Relationship Object Discussion: ID [1]: <GUID> Marking[1]: TLP Green Timestamp [1]: <timestamp> Or is there more meta data we need to collect regarding sightings that a sighting deserves it's own object? Aharon Chernin SOLTRA
| An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 |
achernin@soltra.com DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]