OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Relationships Proposal (Two Birds with One Stone)

When we were talking through the relationships object yesterday, the proposal was centered around two options… either unidirectional or bidirectional links.  While the room seemed to be OK with unidirectional links by default, I think we would do ourselves a favor by supporting a syntax that allows either undirected or directed links instead.

 

In this example, it really doesn’t matter that we point an arrow at each of these objects as they are aliases.  You could substitute the label “friends”, “lives with”, etc. and achieve the same functionality without changing the object type.

 

 

{

    "type": "relationship",

    "from": "threatstar.com:APT28",

    "to": "threatbank.com:WildKitten",

    "label": "aka",

    "is_directed": false

}

 

In this example, there is value in directing the relationship from one node to another.

 

 

{

    "type": "relationship",

    "from": "dhs.gov:the_chairman",

    "to": "baml.com:the_secretary",

    "label": "father",

    "is_directed": true

}

 

However, if someone really did want a bidirectional link, you could use the very same object and only set one more edge.

 

 

{

    "type": "relationship",

    "from": "soltra.com:google-public-dns-a.google.com",

    "to": "eclecticiq.com:8.8.8.8",

    "label": "resolves_to",

    "is_directed": true

}

 

{

    "type": "relationship",

    "from": "eclecticiq.com:8.8.8.8",

    "to": "soltra.com:google-public-dns-a.google.com",

    "label": "resolves_from",

    "is_directed": true

}

 

In practice, many graph databases will go ahead and store and / or query the first two examples in this way to support “search around” functionality.  At the end of the day, many analysts might be frustrated by a truly “unidirectional” link, in which case you would not find that 8.8.8.8’s hostname was google-public-dns-a.google.com if you tried to find outbound links from 8.8.8.8 and only had one edge.

 

Alex Foley

Vice President
Global Information Security

Bank of America

NC1-022-12-11, 201 N Tryon St, Charlotte, NC 28255
T 980.386.3140 M 919.428.4074
alexander.foley@bankofamerica.com

Facebook  Like us on Facebook
Facebook  Follow us on Twitter

Life’s better when we’re connected™

 

This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]