STIX Minigroups/Activity

["Wunder, John A." <jwunder@mitre.org>]

Hey everyone,

I’ve been noticing a LOT of awesome activity on the STIX side and I just wanted to send out an e-mail to say how exciting it is. Having so many people talking about TTP, campaign, packaging, and i18n is an awesome sign for how mature this TC is. I also wanted to send out a quick summary of all the activity so everyone knows what’s going on:

Packaging/Bundle

There’s a subgroup on packaging, where we had general agreement to rename package to bundle and remove it as a TLO (it just becomes a container for TLOs). There’s still a conversation (yet to be scheduled) about whether to add an ID to package. Allan Thompson will be scheduling that meeting.

This will likely require rewriting data markings, if we remove package-level markings.

Campaign

There’s an active campaign mini-group in Slack but there haven’t been any phone calls. A few people there also talked about a new “assertion” object, that probably needs to be discussed on a working call.

TTPs

There’s an active TTP mini-group with a lot of discussion. Most of it seems to be in the very early stages.

Identity / Target / Victim / Threat Actor

There’s no mini-group yet for this, but definite interest from a few people to work on it.

Versioning

There was a proposal and general agreement at the F2F to a proposed approach, but some of the details need to be finalized and agreed to on the list. I’ll take an action item to write up this approach, solidify the open questions, and bring it back to the list (with help from the mini-group).

COA

A channel was created, but there hasn’t been a ton of activity.

Data Markings

Mostly complete, but we still need:

- To determine if level 2 (granular) data markings are MVP. I think we need someone to affirm that the approach will work and develop a prototype to prove it.

- To be updated to remove package-level markings, if that’s what the packaging group decides

i18n

Potentially broader than STIX. Lots of e-mail traffic, not a lot of consensus. Ryu will be leading a mini-group on this towards the middle of May.

Sightings, Observation, Indicator

Had some good agreement at the face to face, but the approach needs a few more examples and we need to get broad consensus. This includes indicator type vocabulary, which I think is very close.

Draft Specification Language

Identifier will go to a vote. Timestamp, timestamp precision, and custom properties have a motion to move to draft by unanimous consent. As we finalize other topics we can start to move them to review and draft as well.

Also just as a caution (we’re not there yet IMO) we need to make sure to bring topics to a close. This is mostly on the co-chairs (*looks around nervously*) and editors but we need your help too to help us write draft text and finalize things. So my ask is nothing specific, just keep this in mind as we work on these topics. I’ll be pinging people on slack soon to help me get some good draft text to run by the rest of the community on versioning and the indicator type vocab. Maybe we can do this same shortly with packaging, data markings, sightings/observation/indicator, and i18n.

Thanks,

John