[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting
Hi Jason - What is "Alternative_ID" ? The Alternative_ID was taken from the IndicatorType object. From that object’s description it ‘Specifies an alternative identifier
(or alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it
just in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model… - Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all. Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see
what everyone else thinks. Suggested Mandatory Fields ·
Version ·
Title
·
Timestamp / Time Period ·
One or more referenced objects (i.e. idref) – (This would be done via Top-level relationship object) Suggested Optional Fields ·
Sighting Count ·
Timestamp / Time Period ·
Victim Organization information ·
Producer Organization information ·
Sighting Confidence ·
TLP / Data Markings ·
Alternative Sighting ID ·
Sighting Type ·
Description ·
Short Description Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year (https://github.com/STIXProject/schemas/issues/306).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?
Please note this reflects my own personal viewpoint. Cheers Terry MacDonald Senior STIX Subject Matter Expert SOLTRA | An FS-ISAC and DTCC Company +61 (407) 203 206 |
terry@soltra.com
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jason Keirstead Questions - What is "Alternative_ID" ? - Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all. -
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]