1. Prefer 1 list of references instead of separation by type.2. Confidence should be an option applied to all information in the data-model. So - yes it should be an option if the provider wishes to provide it. 3. Yes 4. Not sure the value of intents field.
All,
We do still have a couple open questions:
- Is it better to have one list of references (as we have in the text above), or multiple lists as we do in package? In other words, do we have one field called
report_contains_ref and it has references to indicators, relationships, threat actors, etc. or do we have a field for
indicator_refs, another for relationship_refs, another for threat_actor_refs, etc. We’ll also need to decide on the exact field names to use in either scenario.
- Is there a need for a confidence field on report? It wasn’t there in 1.2, so this would be an addition, but at least Sean has noted that it would be useful.
- Should title be required?
- In STIX 1.2, there was a report intents field as a controlled vocabulary. Do we need this field, and if so, what should the list of values be? You can see this text now in the playground doc: https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.8rupwbdhhtsj
Thoughts?
FWIW, my answers are:
- Single field
- I can’t think of a reason to include it, but I’m not really opposed. If we do include it we just need to clearly and carefully specify what the confidence field is describing confidence for: that the collection of things are related in some way, that the
collection of things belong to that title, etc.
- Yes.
- Probably useful, and we need to think about what type of values we want to put in there. The current list of values is a mess.
John
|