[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-stix] Re: Reviewing External-Reference
Hi Bret, If we were just supporting external_ids, I would probably agree with you – but we are supporting external references also (URLs). Before this proposal was made,
external_reference was a full-fledged TLO, which any other TLO could have a relationship with – so this enables us to handle that use case. BTW, in the examples I included several uses which were not Attack Pattern related: Incident referring to a JIRA or VERIS external id, Report referring to a
PDF report (I know Incident isn’t in MVP – yet J ). Rich From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jordan, Bret That is fine... But can we get an explanation of how it would be used or how it would make sense for all TLOs not just a subset of the TLOs? The only one
I have heard an example for is Attack Pattern and that is so you can link against a CAPEC ID. How would this be used for each of the following: Campaign Course of Action Identity Indicator Malware Marking Definition Observation Relationship Report Sighting Threat Actor I think it will be a huge stretch to justify it for Relationship, Marking Definition and maybe even Report if not also some of the others. Bret
From:
cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org> I come at this from the opposite perspective I think. Back in STIX 1.2, we had this field in two places: Indicator and Incident. In Indicator
it was called Alternative_IDs and in Incident it was called External_IDs. At that time we had an issue to add it to Observable (now Observation) as well:
https://github.com/CybOXProject/schemas/issues/386. Lastly, based on those usages and the intent to use it on Vulnerability and Attack Pattern, we added a ticket to just make
it consistent across all objects:
https://github.com/STIXProject/schemas/issues/358. We discussed it back in February as part of the core object properties discussion (http://markmail.org/message/4jqzqj4mdoqygbk2?q=external+reference+list:org%2Eoasis-open%2Elists%2Ecti+date:201602+&page=1#query:external%20reference%20list%3Aorg.oasis-open.lists.cti%20date%3A201602%20+page:1+mid:zfwhga2ayoosjblh+state:results)
and decided at that point to add it. It was discussed in the context of the Report and Sighting object at that point (on both the CTI list and the CTI STIX list).
Later on, we altered course a bit and rather than having it as a property on all TLOs we added “External Reference” as a separate TLO and
said we would use relationships for this concept and so it was removed. Now that we’re moving back to having it as properties, in my opinion we should just move it back to what we discussed previously and add it across all TLOs. It’s more consistent that way
and is a change based on actual experience with an inconsistent approach in STIX 1.2. So, long story long, I think we should add it across all TLOs. John From:
<cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com> I would prefer that we only add things to the Common TLO Properties section once we know that it is in fact needed on every TLO. I do not want to just artificially
add things to TLOs that may never need them. So lets use the external-reference type for Attack Pattern and see if anything else needs it in the future. My guess is that only a small handful of things
will actually end up needing it. Bret From:
cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Piazza, Rich <rpiazza@mitre.org> When reviewing the External Reference type (https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.cez46v5quobo
), please consider the usages of it. In the original proposal, as discussed on a previous working call, it was suggested that
external_references be added as a Common TLO field.
However, the Common TLO section’s status was already “Consensus”, so your humble editors didn’t want to change that text without discussion. An alternative is to only include it for particular TLOs. It originally was discussed by John Wunder as a way to support external_ids like
CAPEC. Therefore, it would be make sense for it to be a field of Attack Pattern, for instance. However, it was broadened to include URLs, so it was thought that all TLOs might need this concept. So…… …as we finalize External References, we must also approve how it is used. The choices are: ·
external_references is a Common TLO field ·
external_references is a field on a TLO if there is an explicit use case for it (e.g., Attack Pattern). |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]