OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Action items & topics, 5/31 Working Call


All,

 

Jane will send out more complete notes, but here’s some action items and topics out of the working call. Thanks again to everyone for dialing in, we’re making a ton of progress on these calls and in the docs.

 

We’ll get out an agenda for next week’s call later in the week. Please let me or the other co-chairs know if you have any topics to discuss…Allan has already come to me with one.

 

John

 

--

 

Ready for Formal Consensus

The following topics are just about at the point where we can make motions to consider them consensus:

 

1.       Boolean

2.       List

3.       Number

4.       IDs and References

5.       Object Creator

6.       Report TLO

 

Please review those sections (1-5 are in the “Core Concepts” document, Report TLO is in the “TLOs” document)…assuming there are no dealbreakers by COB ET tomorrow (about 30 hours from now) I’ll make a motion to consider them “consensus” status by unanimous consent.

 

Action items:

-          Review the concepts listed above, provide suggestions, and in particular point out any deal breakers.

 

Final Review

The following topics may need a bit more work, but should very soon be at the point where we can make similar motions:

1.       Open Vocabularies

2.       Controlled Vocabularies

3.       Vocabulary Extension

4.       Versioning

5.       Object Level Markings

 

These can all be found in the “Core Concepts” document. If we don’t get any dealbreakers by this Friday I’ll make a motion to consider them “consensus”.

 

Action items:

-          Review the concepts listed above, provide suggestions, and in particular point out any deal breakers.

 

Bundle - https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.c9oxowopqs2

Bundle is getting very close to the point where we can move it to final review. There are just a few open questions, which I’ll include in a separate e-mail.

 

Action Items: See separate e-mail.

 

Indicator Labels - https://docs.google.com/document/d/13TuudUtGur9d68VewJW2t_mdEWkpdorNMZDZHCeqAEU/edit#heading=h.a50wvo4z81ef

Topic has been discussed at length, but we need to finalize the list so we can accept it. I’ll send out a separate e-mail on this topic.

 

Action items: See separate e-mail.

 

Campaign - https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.pcpvfz4ik6d6

We talked through the fields on campaign and had good consensus that the structure as currently defined is the way to go. This means having “motive” as a list of open-vocab values, pulling from the previous threat-actor-motivation-vocab, and “objective” as a list of string/text values (in addition to title, description, and other fields).

 

Action items:

-          Please review and make suggestions to the motivation vocab (https://docs.google.com/document/d/13TuudUtGur9d68VewJW2t_mdEWkpdorNMZDZHCeqAEU/edit#heading=h.ipfy6p88c7ju).

-          If you have any further objections to the object as defined, bring them up on the list. Otherwise we’ll continue to improve it and get ready for a motion next week.

 

Intrusion Set - https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.bjbu0dy8lyl6

Gary again talked through the definition of intrusion set and how it differs from campaigns, threat actors, and reports. At this point there’s certainly enough interest that we should continue working on it.

 

Action Items:

-          Please make suggestions for fields and relationships in the Google Doc.

-          Think about whether the object is a good 2.0 MVP candidate for a future call/e-mail. We should make an in/out decision by next week.

 

Kill Chains

We didn’t discuss this topic due to time constraints.

 

Action items:

-          See my previous e-mail, and in particular if you disagree, please respond.

 

External IDs

Rich P. talked through his e-mail on a new approach for external IDs. Allan commented that he liked the general approach and would like to make it as minimal as possible.

 

Action items:

-          See Rich P’s e-mail from earlier today and answer the questions with your recommendations.

 

TTPs

We didn’t get to this topic. We can work through more on the e-mail lists and Slack through the week.

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]