OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Moving forward with first_seen and last_seen


4 -> 2 -> 3 -> 1

regards

allan

From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Wednesday, November 30, 2016 at 1:34 PM
To: "Mr. Stefan Hagen" <stefan@hagen.link>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen


My preference would be 1, 2.  IMHO 3 is bad and 4 is just confusing.



Bret

________________________________
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Mr. Stefan Hagen <stefan@hagen.link>
Sent: Wednesday, November 30, 2016 2:17:08 PM
To: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen

My preference chain is (like Sarah's): 1, 4, 2, 3 of:

1.      Keep first_seen as a summary field, but do not add last_seen (status quo)

2.      Add last_seen as a summary field with the above description or something similar (Allan’s proposal).

3.      Do not add last_seen and remove first_seen, relying entirely on sightings.

4.      Rename first_seen to first_active and add last_active (tentative names). This would help clarify that what you’re saying is what you – as the producer – think the lifetime of the campaign has been (aggregated from sightings and other data you might have, e.g. possibly ignoring sightings from producers you don’t trust)

All the best,
Stefan

<<attachment: winmail.dat>>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]