Just to push on this conversation a bit…
-
Bret and Terry think this object should be added to just Report
-
Allan thinks it should be added to all TLOs
What do others think? Without a little more support here I’m not sure it’s possible to justify it for an MVP release…we can always put it in the hopper for 2.1.
John
From:
Allan Thomson <athomson@lookingglasscyber.com>
Date: Monday, June 6, 2016 at 9:54 PM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "Wunder, John A." <jwunder@mitre.org>
Cc: Rich Piazza <rpiazza@mitre.org>, Terry MacDonald <terry.macdonald@cosive.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Report object
Bret – isn’t a report object really just a container that points to a set of other TLOs?
If that is the case then I think the report creators are likely going to want to create the composite parts at the same time as the report and publish all at the same time (most of the
time).
I continue to believe that having the option of a distribution/publication date on all objects is a better way to go from an object-oriented design perspective; support the option of distribution
time on all objects; as well as simplifying the definition of STIX 2.0 by having one definition in one place.
So I support the concept but would prefer it as an option on all TLOs if a vendor or organization wants to use.
allan
From:
"Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Monday, June 6, 2016 at 6:46 PM
To: "Wunder, John" <jwunder@mitre.org>
Cc: "Piazza, Rich" <rpiazza@mitre.org>, Allan Thomson <athomson@lookingglasscyber.com>, Terry MacDonald <terry.macdonald@cosive.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Report object
I will try and be there, but I may miss the meeting. I really think for the report object this will be needed. The report object more than anything else will probably have a gating event with marketing and PR. So having this additional
date will probably be very helpful so we do not get errant revisions of objects or new objects just to fix the created by date.
Bret
Sent from my Commodore 64
Let’s add this to the list for the call tomorrow. It seems like an easy thing to give a yes/no on. I honestly have no preference myself.
I think this is simple enough that it can easily be MVP for the Report TLO . Further I think for sure it is needed for the Report TLO. We can add it for the rest of the TLOs if needed in the Winter release.
Bret
Sent from my Commodore 64
Not that I feel that strongly about this, but this feature seems more like a “nice to have” rather than MVP.
Bret/Terry – publication date (or distribution date) is something that can be applied to multiple TLOs in STIX. Not just a report.
If we are going to add such an attribute, then I would suggest that we consider adding this as an optional attribute to the common TLO attributes and not specific
to reports.
allan
After talking it over with Bret earlier today I would agree. The idea was that the following timeline could be tracked, using a combination of created_date, modified_date, and the (suggested) published_date...
?
Bob is preparing a publication for the next RSA conference because his boss told him to. He creates a Report object, and the created_date is set
?
Bob and his colleague Rita add objects to the Report object in preparation for the publication date. They both update the Report object, and each time the revision is increased, and the modified_date is set
?
The RSA conference is tomorrow. Bob is just about to distribute the Report object out to their public TAXII server, so he sets the published_date, increments the revision number, sets the modified_date, and then pushes the object
to the public server.
?
2 weeks later Bob finds out that they accidentally included an Observation object in the report that was for another threat actor. Bob removes that Observation object from the Report object, increments the revision number, sets
the modified_date, and then pushes the object to the public server. The published_date stays at the date that the Report was first made public. Even though an 'Errata' has been published, this is not tracked through the published_date.
Does that clarify usage? What do people think?
My opinion: I think its a good idea.
Terry MacDonald | Chief Product Officer
On Wed, Jun 1, 2016 at 11:42 AM, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
Really briefly, I have been thinking about our report object and I think we should define an optional field called "published_date" to capture the marketing / PR date that the report was published.
Bret
Sent from my Commodore 64
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
|