Re: [cti-stix] Moving forward with first_seen and last_seen

["Jane Ginn - jg@ctin.us" <jg@ctin.us>]

My preference is 2>4>1>3

Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
jg@ctin.us

-------- Original Message --------
From: Allan Thomson <athomson@lookingglasscyber.com>
Sent: Wednesday, November 30, 2016 07:27 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>,"Mr. Stefan Hagen	" <stefan@hagen.link>,"cti-stix@lists.oasis-open.org	" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen

I think so.

Also I would suggest to make it clear that for folks that voted on 1 that the field will be optional so if you don’t care to support it in your products/implementations then you don’t have to.

allan

From: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Wednesday, November 30, 2016 at 2:02 PM
To: Allan Thomson <athomson@lookingglasscyber.com>, "Mr. Stefan Hagen" <stefan@hagen.link>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen


So if we zero out all the 1 -> 2 with the 4 -> 2 people, that leaves us with "2" as the preferred option?



Bret



________________________________
From: Allan Thomson <athomson@lookingglasscyber.com>
Sent: Wednesday, November 30, 2016 2:56:11 PM
To: Bret Jordan (CS); Mr. Stefan Hagen; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen

4 -> 2 -> 3 -> 1

regards

allan

From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Wednesday, November 30, 2016 at 1:34 PM
To: "Mr. Stefan Hagen" <stefan@hagen.link>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen


My preference would be 1, 2.  IMHO 3 is bad and 4 is just confusing.



Bret

________________________________
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Mr. Stefan Hagen <stefan@hagen.link>
Sent: Wednesday, November 30, 2016 2:17:08 PM
To: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen

My preference chain is (like Sarah's): 1, 4, 2, 3 of:

1.      Keep first_seen as a summary field, but do not add last_seen (status quo)

2.      Add last_seen as a summary field with the above description or something similar (Allan’s proposal).

3.      Do not add last_seen and remove first_seen, relying entirely on sightings.

4.      Rename first_seen to first_active and add last_active (tentative names). This would help clarify that what you’re saying is what you – as the producer – think the lifetime of the campaign has been (aggregated from sightings and other data you might have, e.g. possibly ignoring sightings from producers you don’t trust)

All the best,
Stefan


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php