I would be in favor of ISO8601 as I suggested in the best practices guide. We need to have something that is rigid and defined, not open ended for people to do anything and its dog.
yyyy-mm-ddThh:mm:ss.ssss+-hh:mm
I am not against UNIX EPOC if the majority of people want to go that way. But I see it as either ISO8601 with the format I have shown above or UNIX EPOC with some sort of time zone element. The nice thing about the format above is it includes the timezone offset.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
I did not realize timestamps had to follow ISO8601.... they certainly don't in the wild. I see all kinds of different variations of timestamps...some people have them, some don't, some include milliseconds, some don't, some include nanoseconds, some don't, sometimes there is a timezone, sometimes not...
It would be highly desired that STIX 2.0 have a very strict and mandator timestamp format, accurate at a minimum to the millisecond, declared in the schema - or even simpler, just use UNIX EPOC for timestamps, which would do-away with most of the need for that parsing load.
- Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>Terry MacDonald ---11/18/2015 03:42:55 PM---Thanks Jason. Good point on the timestamps. I’ve haven’t mentioned them directly – more in passing u
From: Terry MacDonald <terry@soltra.com> To: Jason Keirstead/CanEast/IBM@IBMCA, John Anderson <janderson@soltra.com> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 11/18/2015 03:42 PM Subject: RE: [cti-stix] Re: Things that are difficult in STIX Sent by: <cti-stix@lists.oasis-open.org>
Thanks Jason. Good point on the timestamps. I’ve haven’t mentioned them directly – more in passing under the Versioning topic. It could be a good idea to add them when we add the document to the issue tracker/wiki. We may not strictly need them for versioning reasons if we decide to go for Major versioning only, but we probably still should need them to help with generating timelines to aid with analysis. As and aside, timestamps must be in ISO8601 format, and should include time zone wherever possible(http://stixproject.github.io/documentation/suggested-practices/#creating-timestamps) Cheers Terry MacDonaldSenior STIX Subject Matter ExpertSOLTRA | An FS-ISAC and DTCC Company+61 (407) 203 206 | terry@soltra.com From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jason Keirstead Sent: Thursday, 19 November 2015 4:37 AM To: John Anderson <janderson@soltra.com> Cc: Terry MacDonald <terry@soltra.com>; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Re: Things that are difficult in STIX I think this document is excellent!
One I would like to add that I don't see present - timestamps. The fact that timestamps are (a) optional, and (b) have an undefined format (no required ISO format string), makes STIX very painful to work with as a consumer. All we have are best practices, which are not always adhered to, and even the best practice is inconsistent with respect to things like how to treat time zones.
- Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>John Anderson ---11/18/2015 10:55:13 AM---Terry, Thank you. This document explicitly points out many of the "pain points" I (as a recent induc
From: John Anderson <janderson@soltra.com> To: Terry MacDonald <terry@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 11/18/2015 10:55 AM Subject: [cti-stix] Re: Things that are difficult in STIX Sent by: <cti-stix@lists.oasis-open.org>
Terry, Thank you. This document explicitly points out many of the "pain points" I (as a recent inductee to the STIX/CybOX implementor's club) have felt. I am very encouraged by your vision of the future.
My two favorites are:- top-level Relationship object -> This foundational shift will greatly KISS the data model. Bring it on!
- top-level Opinion object -> Can I "+1" this idea? <0F347492.gif>
The rest is good, too, and I look forward to a greatly-improved STIX 1.2 that's very close to your proposal. JSA
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry@soltra.com> Sent: Tuesday, November 17, 2015 8:47 PM To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Things that are difficult in STIX
Hi All,
We’ve spent a bit of time over the last 2 weeks thinking about where STIX could be improved. We’ve gone through the various discussion points that people have raised on and off list, and through the various experiences that we’ve had ourselves in using STIX. The attached document is the result of that work. In it we list 25 topics that we believe could be improved in some way (or at least should be discussed).
Our hope is that the document will help prompt discourse, and move us towards consensus so that we can agree some of the cross-cutting major issues that Sean mentioned in his STIX v2.0 Roadmap wiki page. We plan to add these items to the STIX issue tracker, and to the STIX v2.0 Roadmap wiki page, so that they are accurately tracked and followed.
Please feel free to provide feedback on this document – positive or not – as the end goal is making something that was better than before. We have thick skins J.
Also - thank you to all who provided items for inclusion in the list. I haven’t named people as I wasn’t sure if they wanted their names public. But please accept my thanks for your input.
Cheers
Terry MacDonald Senior STIX Subject Matter Expert SOLTRA | An FS-ISAC and DTCC Company +61 (407) 203 206 | terry@soltra.com
|