Re: [cti-stix] external-references keywords

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

The reason I brought it up is if we could combine the semantics, it would allow people to optionally EMBED the external resource into the STIX document.

This may be desired in some situations
- where these external resources are subject to change and you want to ensure your document contains the current state at the time the document was created, in addition to the external URI.
- where the external resource is proprietary / internal and thus can't be accessed by others, but you are OK sharing the content.

JIRA is a good example of this.. what if I add an external reference to a JIRA or Bugzilla entry living at https://10.0.0.1/? and share that... that external reference is useless to everyone. But maybe I want to also EMBED the content in my document, to make it not useless. The "Artifact" cybox object has this capability.


-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Jordan, Bret" ---05/31/2016 06:40:37 PM---I agree, they are separate things in different domains. So it should not be an issue. Bret

From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: John-Mark Gurney <jmg@newcontext.com>
Cc: "Wunder, John A." <jwunder@mitre.org>, Jason Keirstead/CanEast/IBM@IBMCA, "Piazza, Rich" <rpiazza@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 05/31/2016 06:40 PM
Subject: Re: [cti-stix] external-references keywords

---

I agree, they are separate things in different domains.  So it should not be an issue.

Bret 

Sent from my Commodore 64

> On May 31, 2016, at 2:13 PM, John-Mark Gurney <jmg@newcontext.com> wrote:
> 
> Wunder, John A. wrote this message on Tue, May 31, 2016 at 19:54 +0000:
>> It does have some overlap, in the sense that you can pass a URL, but the primary purpose of the artifact object seems to be actually providing the content (either as a URL to download it from or as an encoded payload) while this type seems mostly about referencing other content (I would not expect a tool consuming these references to automatically download the content at the URL). So they seem differentiated enough to me to not worry about it...
> 
> I agree, there are difference, and they are also in different domains..
> The differences being that external reference is not as free form as
> an Artifact is...  An external reference is a domain id + identifier,
> while an Artifact is just a byte stream.
> 
> External references is a STIX concept, and Artifact is a CybOX object.
> 
>> From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
>> Date: Tuesday, May 31, 2016 at 2:02 PM
>> To: Rich Piazza <rpiazza@mitre.org>
>> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
>> Subject: Re: [cti-stix] external-references keywords
>> 
>> 
>> FWIW, external_reference seems to have a lot of overlap with the Cybox Artifact object ( see
>> 
>> https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.3py86bmi9w34 )
>> 
>> Could there be some unification here?
>> 
>> -
>> Jason Keirstead
>> STSM, Product Architect, Security Intelligence, IBM Security Systems
>> www.ibm.com/security | www.securityintelligence.com
>> 
>> Without data, all you are is just another person with an opinion - Unknown
>> 
>> 
>> [nactive hide details for "Piazza, Rich" ---05/31/2016 02:44:29 PM---Hi ev]"Piazza, Rich" ---05/31/2016 02:44:29 PM---Hi everyone, I think these four keywords would cover all of the external reference details. I've in
>> 
>> From: "Piazza, Rich" <rpiazza@mitre.org>
>> To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
>> Date: 05/31/2016 02:44 PM
>> Subject: [cti-stix] external-references keywords
>> Sent by: <cti-stix@lists.oasis-open.org>
>> 
>> ________________________________
>> 
>> 
>> 
>> Hi everyone,
>> 
>> I think these four keywords would cover all of the external reference details. I’ve including some examples below. Can anyone think of some external reference that couldn’t be specified using these keywords?
>> 
>> Rich
>> 
>> 
>> 
>> external_references: array of {
>> description : string
>> external_id: string
>> source: ov?
>> url: url
>> }
>> 
>> Any combination is legal
>> 
>> Examples:
>> 
>> CAPEC:
>> 
>> [ { “source”: “capec”, “external_id”: “capec-550” } ]
>> 
>> CAPEC with URL
>> 
>> [ { “source”: “capec”, “external_id”: “capec-550”, “url”: “http://capec.mitre.org/data/definitions/550.html”} ]
>> 
>> APT1:
>> 
>> [{ “description”: “APT1 report”, “url”: “http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf”}]
>> 
>> VERIS:
>> 
>> [{“source”: “veris”, “external_id”: “00C84D6A-CDB8-4A5B-A1A6-0D75A65274D7”}]
>> 
>> Jira:
>> 
>> [{“source”: “jira”, “external_id”: “TAB-1370”, “url”: “https://issues.oasis-open.org/browse/TAB-1370”}]
> 
> 
> 
> -- 
> John-Mark
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that 
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>