[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] STIX versioning as an interim solution to deduplication
Dear All,
I’d like to ask for your opinion.
Use-case; many producers create intelligence with widely different content (names/meta/context) for the same threat information. Additionally, many producer don’t re-use or across producers we don’t re-use STIX IDs. Therefor, the challenge of duplication is significant.
While we’ve already have many non-STIX way of dealing with this at EclecticIQ, I wonder if STIX versioning idioms aren’t a way to accomplish part of this.
Example;
Before:TTP A: Zeus, version 1 – namespace vendorATTP B: Zeus, version 1 – namespace vendorBTTP C: Zeus, version 1 – namespace vendorC
After:TTP D: Zeus version 1 – my own namespaceRelated TTPsSupersedes IDREF TTP A version 1Supersedes IDREF TTP B version 1Supersedes IDREF TTP C version 1
Basically telling my STIX authority that TTP A/B/C version 1 no longer should be current and then TTP D version 1 (my analytic decision that my Zeus is now all other Zeus) is actually analytically equal to the others?
J-
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]