Re: [cti-stix] Report object consensus

["Barnum, Sean D." <sbarnum@mitre.org>]

I added my answers to 1-4 as comments on the doc itself.

Basically they are

1. I am fine with single field but would not object to multiple if people like that better
2. I definitely think that confidence should be here since a report is an assertion that a set of STIX content shares some context
3. Making Title required makes sense for reports
4. I definitely think that intents should be on reports in order to easily categorize what sorts of reports they are. I know this aligns with the way reports are currently done in the real world.

sean

From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, February 23, 2016 at 2:36 PM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Report object consensus

All,

Based on the e-mail discussion last week, it seemed like consensus was to have a list of references to content within the report object rather than to use relationships. Given that, we updated the content in the pre-draft specification, which you can find here: https://docs.google.com/document/d/1U48DOJzh2qELOEhhVWz_G6hL0Bazx1Y52wpOeR8jaVk/edit#heading=h.tmlyjpfh5924

We do still have a couple open questions:

1. Is it better to have one list of references (as we have in the text above), or multiple lists as we do in package? In other words, do we have one field called report_contains_ref and it has references to indicators, relationships, threat actors, etc. or do we have a field for indicator_refs, another for relationship_refs, another for threat_actor_refs, etc. We’ll also need to decide on the exact field names to use in either scenario.
2. Is there a need for a confidence field on report? It wasn’t there in 1.2, so this would be an addition, but at least Sean has noted that it would be useful.
3. Should title be required?
4. In STIX 1.2, there was a report intents field as a controlled vocabulary. Do we need this field, and if so, what should the list of values be? You can see this text now in the playground doc: https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.8rupwbdhhtsj

Thoughts?

FWIW, my answers are:

1. Single field
2. I can’t think of a reason to include it, but I’m not really opposed. If we do include it we just need to clearly and carefully specify what the confidence field is describing confidence for: that the collection of things are related in some way, that the collection of things belong to that title, etc.
3. Yes.
4. Probably useful, and we need to think about what type of values we want to put in there. The current list of values is a mess.

John