OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Moving forward with first_seen and last_seen

Hey everyone,

 

One of the topics we’ve been talking about recently is the addition of a field called “last_seen” to campaign and intrusion set. Allan suggested we add this field to correspond with the “first_seen” field that already existed on those objects. The field would be defined roughly as:

 

-          last_seen: The time that this Campaign was last seen. This field is a summary field of data from sightings and other data that may or may not be available in STIX. If later sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data.

 

There’s been a lively discussion on the topic on both Slack and the last working call. On the working call, we didn’t hear any strong objections to adding it…the main concern was making sure that it was clear how it was different than having a sighting representing the same thing. On Slack and awhile ago over e-mail, a few people have objected basically for that reason…because it seems like two ways of doing things (the other being sightings).

 

Here are some reasons why the fields should be included:

-          Producers don’t have a good way of saying that they believe the campaign started at X (regardless of sightings from other producers) and ended at Y (regardless of sightings from other producers). All they can do is issue their own sightings, which are treated just like any other sighting.

-          Content libraries and aggregators may want to say roughly when the campaign was observed (i.e. only during 2015). Letting them manually set some fields on the object to do that is easier than publishing what are essentially “fake” sightings (since they presumably didn’t see it themselves, but are aggregating data from many producers).

-          If you get a campaign you would also have to get all sightings related to that campaign to know when it first was seen or last was seen (unless the producer has some way of giving you the “last seen” sighting at the same time, which would be extra TAXII or tool logic to support stuff in the STIX data model). That may be a huge number of sightings when really you just care about when it was active.

 

Here are some reasons the field shouldn’t be included:

-          It would get out of date if the producer doesn’t regularly update it when it gets new sightings.

-          You could have conflicting information, where the last_seen field on the campaign is earlier than the most recent sighting you have (either from the original producer or from others). Tools would need to figure out how to display this.

-          It’s two ways of doing something, which we’ve tried very hard to avoid

-          Even if it isn’t actually two ways of doing something, it’s similar enough that people won’t understand the difference and will do it wrong.

 

I wanted to take a straw poll to get a sense of where the TC stands on this. Please weigh in, even if it’s just to say which number you agree with most!

 

1.       Keep first_seen as a summary field, but do not add last_seen (status quo)

2.       Add last_seen as a summary field with the above description or something similar (Allan’s proposal).

3.       Do not add last_seen and remove first_seen, relying entirely on sightings.

4.       Rename first_seen to first_active and add last_active (tentative names). This would help clarify that what you’re saying is what you – as the producer – think the lifetime of the campaign has been (aggregated from sightings and other data you might have, e.g. possibly ignoring sightings from producers you don’t trust)

 

I’d like to decide on this so we can finalize 2.0 RC4 prior to Christmas, so please weigh in, even if it’s just to say which number you agree with most! We’ll give it a few days and if we’re strongly leaning in one direction we’ll go ahead and make the change (unless anyone feels we need a ballot).

 

My vote: 4, then 2. I think summary fields are valuable, can be updated automatically by tools, and are especially important for higher-level objects like campaign. I think the first_active designation more accurately reflects what you want to say…yes, you may not KNOW that but this is intel and you don’t know a lot of things that you still want to say. It’s why we’ll eventually have confidence.

 

Thanks,

John

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]