OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Clarifications to Observed Data


Much clearer John.

Cheers
Terry MacDonald
Cosive


On 28 Oct. 2016 9:22 am, "Wunder, John A." <jwunder@mitre.org> wrote:

Hey everyone,

 

I know we’ve beaten Observed Data to death in the past, and I promise I’m not going to bring up actual changes. Instead, I want to propose some textual changes that more clearly describe what Observed Data is supposed to represent.

 

Basically, Observed Data needs to represent multiple objects because of the way CybOX relationships work…to describe some network traffic you need to use a Network Traffic object, plus the source and destination IPv4 address objects (3 objects total). So Observed Data needs to be able to contain multiple objects to support that, but the intent was that those objects should all be related in some way. You wouldn’t, for example, want to put in a dozen IP address objects that are totally unrelated…but that wasn’t as clear as it could have been in the specification.

 

Long story short I have some proposed updates that I worked through with some MITRE folks and ran past Bret: https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.p49j1fwoxldc. It clarifies (I hope) some language to better specify that Observed Data should represent a single “fact” (yes fact is a bad word, but you get the idea). There’s a few changes, but the most important is the statement that all objects in an Observed Data instance MUST be related to each other in some way.

 

From the specification:

 

Ø  The Cyber Observable content MAY include multiple objects if those objects are related as part of a single observation. Multiple unrelated objects (objects not related to each other directly or indirectly via CybOX Relationships) MUST NOT be contained within the same Observed Data instance.

 

Ø  For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. Two unrelated IPv4 address objects that just happened to be observed at the same time, however, must be represented in separate Observed Data instances.

 

Please review this text and let me know if you have any concerns. Hopefully it’s a clearer than what we had before.

 

Thanks,

John



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]