[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen
4 -> 2 -> 3 -> 1 regards allan From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com> Date: Wednesday, November 30, 2016 at 1:34 PM To: "Mr. Stefan Hagen" <stefan@hagen.link>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] Moving forward with first_seen and last_seen My preference would be 1, 2. IMHO 3 is bad and 4 is just confusing. Bret ________________________________ From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Mr. Stefan Hagen <stefan@hagen.link> Sent: Wednesday, November 30, 2016 2:17:08 PM To: cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Moving forward with first_seen and last_seen My preference chain is (like Sarah's): 1, 4, 2, 3 of: 1. Keep first_seen as a summary field, but do not add last_seen (status quo) 2. Add last_seen as a summary field with the above description or something similar (Allan’s proposal). 3. Do not add last_seen and remove first_seen, relying entirely on sightings. 4. Rename first_seen to first_active and add last_active (tentative names). This would help clarify that what you’re saying is what you – as the producer – think the lifetime of the campaign has been (aggregated from sightings and other data you might have, e.g. possibly ignoring sightings from producers you don’t trust) All the best, Stefan
<<attachment: winmail.dat>>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]