[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Report object approaches
The kind_of_relationship value won't need to be set in option #2 as the array of idref values directly asset that the objects are in the report. So we can do away with the 'contains' relationship in the report if we want. I do agree that we will likely need another grouping object. I had proposed a Tag/label object in the past to be used in this way., but maybe this is a discussion for later in the year. Cheers Terry MacDonald I think that what this really boils down to is folks currently defining Report differently than it has been to date.
It was actually originally requested to serve more of a dynamic aggregation function to say “hey, this set of things are related in this way” (e.g. a set of Indicators for a recently
discovered malware). I had pointed out that it could also be used for more explicit subclasses of this sort of aggregation use case, ones where you are actually asserting a more formal report (and eventually you could maybe generate your report document from
the STIX Report). We then defined the 1.X Report object to serve these roles.
I am now hearing many people asserting that Report should be viewed ONLY as the latter formal, point-in-time report document and something else would be needed for the original more
dynamic aggregation use cases.
If we do redefine Report this way then we will need a new object for the looser context aggregation.
Either way, Rich P is likely correct in that “contains” is likely not a great value for the kind_of_relationship. We should think about potentially better options.
sean
From:se Rich Piazza <rpiazza@mitre.org>
Date: Thursday, February 18, 2016 at 2:21 PM To: "ppatrick@isightpartners.com" <ppatrick@isightpartners.com>, "Barnum, Sean D." <sbarnum@mitre.org>, John Wunder <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: RE: [cti-stix] Report object approaches I think we very close to reaching consensus on the Report object.
Although as I mentioned to Sean in another email – if we use the Relationship object to express the confidence of something being related to the report – we don’t name the relationship “report contains”, since I think the id-ref list in the report will completely specify what TLOs are contained/discussed/related to the report. What you want to express is not the confidence that a TLO is contained in the report, but that you are asserting something about that TLO’s inclusion.
From:
cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Paul Patrick
+1 with Sean’s both with going with #2, since it doesn’t preclude the ability to express confidence, etc.
In addition, it is critical that report maintain the support for ‘intents’ as we generate very different types of reports with very different intents.
Paul Patrick Chief Architect iSIGHT Partners
From:
<cti-stix@lists.oasis-open.org> on behalf of "Barnum, Sean D." <sbarnum@mitre.org>
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]