[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-stix] Report object
Not that I feel that strongly about this, but this feature seems more like a “nice to have” rather than MVP.
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Allan Thomson Bret/Terry – publication date (or distribution date) is something that can be applied to multiple TLOs in STIX. Not just a report. If we are going to add such an attribute, then I would suggest that we consider adding this as an optional attribute to the common TLO attributes and
not specific to reports. allan From:
"cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald
<terry.macdonald@cosive.com> After talking it over with Bret earlier today I would agree. The idea was that the following timeline could be tracked, using a combination of created_date, modified_date, and the (suggested) published_date...
·
Bob is preparing a publication for the next RSA conference because his boss told him to. He creates a Report object, and the created_date is set
·
Bob and his colleague Rita add objects to the Report object in preparation for the publication date. They both update the Report object, and each time the revision is increased, and the modified_date is set
·
The RSA conference is tomorrow. Bob is just about to distribute the Report object out to their public TAXII server, so he sets the published_date, increments the revision number, sets the modified_date, and then pushes the object
to the public server.
·
2 weeks later Bob finds out that they accidentally included an Observation object in the report that was for another threat actor. Bob removes that Observation object from the Report object, increments the revision number, sets
the modified_date, and then pushes the object to the public server. The published_date stays at the date that the Report was first made public. Even though an 'Errata' has been published, this is not tracked through the published_date. Does that clarify usage? What do people think? My opinion: I think its a good idea.
Cheers Terry MacDonald | Chief Product Officer On Wed, Jun 1, 2016 at 11:42 AM, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]