My answers:
-
Single field containing a list of references, but we also need to decide if we want to include the Identity ID along with the Object ID for each reference. The reason I say that is that we either
need to mandate:
-
That the objects referred to in a Report object need to be sent to all recipients of the report (not necessarily in the same package), or
-
We need to include the Identity ID as well as the Object ID in each individual reference so that the Object lookup by ID process will work: https://docs.google.com/drawings/d/1dXGJTWhInAshktrCiOjF4zcVZb8WJIDaL22WeUnt8zE/pub?w=626&h=573
-
I don’t think we need confidence. The report creator will have their own level of confidence that needs to be reached for them to decide to include the object in the report. It will have already
reached that level in order for the information to be added. They are also 100% confident that the linked objects are related to the report because they put them in there.
-
Yes for a report.
-
I’m not so sure. The fact that people aren’t clamouring for this option means that it probably isn’t required. I’ve only heard ‘um, yeah, I suppose – we had it before’ which isn’t a sign that it
is really required. My vote is to leave it out.
Cheers
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 |
terry@soltra.com
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Wunder, John A.
Sent: Wednesday, 24 February 2016 6:36 AM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Report object consensus
We do still have a couple open questions:
-
Is it better to have one list of references (as we have in the text above), or multiple lists as we do in package? In other words, do we have one field called
report_contains_ref and it has references to indicators, relationships, threat actors, etc. or do we have a field for
indicator_refs, another for relationship_refs, another for threat_actor_refs, etc. We’ll also need to decide on the exact field names to use in either scenario.
-
Is there a need for a confidence field on report? It wasn’t there in 1.2, so this would be an addition, but at least Sean has noted that it would be useful.
-
Should title
be required?
-
In STIX 1.2, there was a report intents field as a controlled vocabulary. Do we need this field, and if so, what should the list of values be? You can see this text now in the playground doc: https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.8rupwbdhhtsj
-
Single field
-
I can’t think of a reason to include it, but I’m not really opposed. If we do include it we just need to clearly and carefully specify what the confidence field is describing confidence for: that
the collection of things are related in some way, that the collection of things belong to that title, etc.
-
Yes.
-
Probably useful, and we need to think about what type of values we want to put in there. The current list of values is a mess.
|