+1
Providing a generic tag mechanism would allow for a given organization to annotate intelligence specific to their operational workflows and have that context/metadata transmitted via STIX. As a tool developer, being able to consume/maintain that context as an opaque value allows my tool to remain relevant within that operational environment without having to know about it a priori.
$0.02
Sent: Thursday, June 30, 2016 8:57 AM
To: Terry MacDonald
Cc: John A. Wunder; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Labels on STIX TLOs
Myself, I would prefer that "tag" or "labels" be added to the base TLO Common Properties instead of having special properties for many TLOs but for some other TLOs we do not have any label / tag method.
Analysts should be able to tag / label anything in STIX with anything they want. This facility will help them be able to quickly "look up" and categorize objects.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Terry MacDonald
---06/29/2016 06:58:00 PM---I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The communit
From: Terry MacDonald <terry.macdonald@cosive.com>
To: "John A. Wunder" <jwunder@mitre.org>
Cc: cti-stix@lists.oasis-open.org
Date: 06/29/2016 06:58 PM
Subject: Re: [cti-stix] Labels on STIX TLOs
Sent by: <cti-stix@lists.oasis-open.org>
I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The community does prefer the labels field however, and so...
I would make the label field optional, and leave it applied just to the objects we can make a case for. I would worry about using it everywhere, as that will restrict us in the future if we decide to make it more specific to each object. Having
one list across all objects would worry me that we are restricting our choices later on.
Cheers
Terry MacDonald
Cosive
On 30/06/2016 01:24, "Wunder, John A." <jwunder@mitre.org> wrote:
-
All,
One of the topics that came up across several items on the call yesterday was the “labels” field that currently exists on Indicator, Malware, and Tool. The field is an array of values from an open vocabulary (indicator-label-ov, malware-label-ov, and tool-label-ov respectively).
We have a couple of open questions:
1. Should the labels field be required or optional?
-
a. If we make labels required, do we need to add a value of “other” to the vocabulary? This will help tools/users who can’t find an existing value in the vocabulary that works but don’t want to make one up.
-
a. Allan has suggested adding it across all top-level objects. Does that make sense, or should we consider it on a case-by-case basis?
b. Allan also suggested that if we don’t add it across all top-level objects, it should be added to Campaign. Are there other TLOs that we should add it to, even if we don’t add it across all of them?
To be honest I don’t really have a strong opinion either way. What do you think?
John