Hi Jason,
"The ID stays the same over the lifetime of the object even if it is updated and the content changes."
If a sighting is a vertex (as proposed earlier), then how does a sighting "change"? You can't have it both ways... are they point-in-time occurrences and each has their own record, or not... ? I am confused.
All STIX content is versioned at present. There is always the possibility that it can be generated incorrectly, so STIX needs away
of updating or deleting the data that has been generated. At present this is done using this versioning methodology:
http://stixproject.github.io/documentation/concepts/versioning/
STIX Objects at the moment are actually identified with a composite key – Object ID + Timestamp. The Incremental update relies on a
just the timestamp changing, but the Object ID staying the same. The major update relies on a brand new object being created with an explicit relationship of ‘supersedes’.
Keeping the Object ID the same over the lifetime of the object ensures we can still use the Incremental update feature to modify it
in the future if needed.
Generating the ID from a hash of the content ensures that we can only use the major update method of version control. This is not actually
a bad thing however as it ensures that we are using explicit version control rather than implicit version control. And as we are wanting STIX to be explicit as much as possible this is a good thing. (And hit helps Firewalls generate STIX content with IDs based
on hashes!).
Cheers
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 |
terry@soltra.com
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jason Keirstead
Sent: Wednesday, 4 November 2015 6:44 AM
To: Barnum, Sean D. <sbarnum@mitre.org>
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Some thoughts on Sightings and conversations to date (Part #4): should sightings have IDs?
I think the main point is - if a mandatory ID is a requirement for Sightings, then we will be severely limiting the types entities that can produce sightings. You are cutting out all of those other device classes, because it is simply not possible for them
to do that and have the IDs be meaningful. If they are forced to comply with the spec, then they will be simply be random UUIDs taking up space in the message, which may break other tools expecting them to have meaning.
I would strongly advocate to not force IDs for instances of sightings. If they are going to be there, they should be optional.
"The ID stays the same over the lifetime of the object even if it is updated and the content changes."
If a sighting is a vertex (as proposed earlier), then how does a sighting "change"? You can't have it both ways... are they point-in-time occurrences and each has their own record, or not... ? I am confused.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security |
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Barnum,
Sean D." ---2015/11/03 03:12:53 PM---The fourth sightings sub-topic I wanted to comment on is around the question of whether sightings sh
From: "Barnum, Sean D." <sbarnum@mitre.org>
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/11/03 03:12 PM
Subject: [cti-stix] Some thoughts on Sightings and conversations to date (Part #4): should sightings have IDs?
Sent by: <cti-stix@lists.oasis-open.org>
The fourth sightings sub-topic I wanted to comment on is around the question of
whether sightings should have IDs or not.
I think there have been some clear assertions (along with their rationale) from Jason and Bret that it does not make sense for sightings to have IDs but also some good clear arguments from John, Terry and others
for why unique and persistent IDs are relevant for consumers to be able to reference, correlate and analyze diverse sightings from diverse sighters.
Again, putting on my expert hat rather than my co-chair hat, I wanted to offer some thoughts on this which are primarily just stating agreement with the arguments made by John, Terry and others.
-
I do believe that it is important for sightings to have IDs for many of the reasons already expressed on the list.
-
Specifically, I would also agree with Terry’s assertion that:
-
"We need an ID solution that:
-
Includes the domain namespace in the ID so that recipients know where to ask for more information.
-
The ID stays the same over the lifetime of the object even if it is updated and the content changes.
-
Recognizes that IDs will be coming from many different companies and many different sources and that we need a way of easily understanding who produced the data."
-
Includes the domain namespace in the ID so that recipients know where to ask for more information.
-
"We need an ID solution that:
-
On the sub-sub-topic ( :-) ) of Alternative_ID for Sightings,
-
I think that Alternative_ID does make sense for Sightings. It would allow the capture and reference of things like alert IDs issued by particular detection tools. The sightings would still need a STIX ID for effective referencing
within STIX content but the external ID would help support the potential for seeking out more detailed information where appropriate.
-
I think that Alternative_ID does make sense for Sightings. It would allow the capture and reference of things like alert IDs issued by particular detection tools. The sightings would still need a STIX ID for effective referencing
within STIX content but the external ID would help support the potential for seeking out more detailed information where appropriate.
sean