Re: [cti-stix] Report object

["Jordan, Bret" <bret.jordan@bluecoat.com>]

I think this is simple enough that it can easily be MVP for the Report TLO .  Further  I think for sure it is needed for the Report TLO.  We can add it for the rest of the TLOs if needed in the Winter release.  

Bret 

Sent from my Commodore 64

On Jun 1, 2016, at 7:36 AM, Piazza, Rich <rpiazza@mitre.org> wrote:

Not that I feel that strongly about this, but this feature seems more like a “nice to have” rather than MVP. 

 

From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Allan Thomson
Sent: Wednesday, June 01, 2016 9:11 AM
To: Terry MacDonald <terry.macdonald@cosive.com>; Jordan, Bret <bret.jordan@bluecoat.com>
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Report object

 

Bret/Terry – publication date (or distribution date) is something that can be applied to multiple TLOs in STIX. Not just a report.

 

If we are going to add such an attribute, then I would suggest that we consider adding this as an optional attribute to the common TLO attributes and not specific to reports.

 

allan

 

From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Wednesday, June 1, 2016 at 3:18 AM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Report object

 

After talking it over with Bret earlier today I would agree. The idea was that the following timeline could be tracked, using a combination of created_date, modified_date, and the (suggested) published_date...

 

·         Bob is preparing a publication for the next RSA conference because his boss told him to. He creates a Report object, and the created_date is set

·         Bob and his colleague Rita add objects to the Report object in preparation for the publication date. They both update the Report object, and each time the revision is increased, and the modified_date is set

·         The RSA conference is tomorrow. Bob is just about to distribute the Report object out to their public TAXII server, so he sets the published_date, increments the revision number, sets the modified_date, and then pushes the object to the public server.

·         2 weeks later Bob finds out that they accidentally included an Observation object in the report that was for another threat actor. Bob removes that Observation object from the Report object, increments the revision number, sets the modified_date, and then pushes the object to the public server. The published_date stays at the date that the Report was first made public. Even though an 'Errata' has been published, this is not tracked through the published_date.

 

Does that clarify usage? What do people think?

 

My opinion: I think its a good idea.

Cheers

 

Terry MacDonald | Chief Product Officer

 

<image001.png>

 

M: +61-407-203-026

E: terry.macdonald@cosive.com

W: www.cosive.com

 

 

 

 

On Wed, Jun 1, 2016 at 11:42 AM, Jordan, Bret <bret.jordan@bluecoat.com> wrote:

Really briefly, I have been thinking about our report object and I think we should define an optional field called "published_date" to capture the marketing / PR date that the report was published.

Bret

Sent from my Commodore 64
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php