Hi Jason
- What is "Alternative_ID" ?
The Alternative_ID was taken from the IndicatorType object. From that object’s description it ‘Specifies an alternative identifier
(or alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it
just in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…
- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.
Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see
what everyone else thinks.
Suggested Mandatory Fields
·
Version
·
Title
·
Timestamp / Time Period
·
One or more referenced objects (i.e. idref) – (This would be done via Top-level relationship object)
Suggested Optional Fields
·
Sighting Count
·
Timestamp / Time Period
·
Victim Organization information
·
Producer Organization information
·
Sighting Confidence
·
TLP / Data Markings
·
Alternative Sighting ID
·
Sighting Type
·
Description
·
Short Description
Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year (https://github.com/STIXProject/schemas/issues/306).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?
Please note this reflects my own personal viewpoint.
Cheers
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 |
terry@soltra.com
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jason Keirstead
Sent: Tuesday, 27 October 2015 8:34 AM
To: Terry MacDonald <terry@soltra.com>
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting
Questions
- What is "Alternative_ID" ?
- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security |
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
----- Original message -----
From: Terry MacDonald <terry@soltra.com>
Sent by: <cti-stix@lists.oasis-open.org>
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
Hi All,
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again. So here are the slides. Please feel free to comment/feedback/complain/call me names.
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.
Cheers
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php