[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen
Yep. I can live with 2.
Cheers
Terry MacDonald
Cosive
Yeah I think that makes sense. Thanks everyone for weighing in.
What I would like to do now is suggest that we go ahead and make the change per #2. I know we didn’t have total agreement but I agree w/ Bret and Allan that it seems like the consensus path forward. Can everyone live ith this, even if you don’t love it?
If for any reason you feel we need to get more input or you strongly oppose it please speak up and we can (if you have an option not mentioned) discuss it or (if you think we should get broader TC input) open a ballot. Otherwise the editors will go ahead and make this change in the specifications.
John
From: "cti-stix@lists.oasis-open.org
" <cti-stix@lists.oasis-open.org > on behalf of Allan Thomson <athomson@lookingglasscyber. com >
Date: Wednesday, November 30, 2016 at 9:27 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, "Mr. Stefan Hagen" <stefan@hagen.link>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org >
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen
I think so.
Also I would suggest to make it clear that for folks that voted on 1 that the field will be optional so if you don’t care to support it in your products/implementations then you don’t have to.
allan
From: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Wednesday, November 30, 2016 at 2:02 PM
To: Allan Thomson <athomson@lookingglasscyber.com >, "Mr. Stefan Hagen" <stefan@hagen.link>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org >
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen
So if we zero out all the 1 -> 2 with the 4 -> 2 people, that leaves us with "2" as the preferred option?
Bret
From: Allan Thomson <athomson@lookingglasscyber.
com >
Sent: Wednesday, November 30, 2016 2:56:11 PM
To: Bret Jordan (CS); Mr. Stefan Hagen; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen
4 -> 2 -> 3 -> 1
regards
allan
From: "cti-stix@lists.oasis-open.org
" <cti-stix@lists.oasis-open.org > on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Wednesday, November 30, 2016 at 1:34 PM
To: "Mr. Stefan Hagen" <stefan@hagen.link>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org >
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen
My preference would be 1, 2. IMHO 3 is bad and 4 is just confusing.
Bret
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org
> on behalf of Mr. Stefan Hagen <stefan@hagen.link>
Sent: Wednesday, November 30, 2016 2:17:08 PM
To: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Moving forward with first_seen and last_seen
My preference chain is (like Sarah's): 1, 4, 2, 3 of:
1. Keep first_seen as a summary field, but do not add last_seen (status quo)
2. Add last_seen as a summary field with the above description or something similar (Allan’s proposal).
3. Do not add last_seen and remove first_seen, relying entirely on sightings.
4. Rename first_seen to first_active and add last_active (tentative names). This would help clarify that what you’re saying is what you – as the producer – think the lifetime of the campaign has been (aggregated from sightings and other data you might have, e.g. possibly ignoring sightings from producers you don’t trust)
All the best,
Stefan
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]