OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer


Hi Trey,

Comments inline...

* `expiry` field: Timestamp Precision was removed from STIX 2.0 based
  on the ballot that closed 20.12.2016 so the precision-related
  language can be elided.

OK. I'll remove it from the proposal.


* `observables`: You can pass a list of Observable Objects in a STIX
  Question but since Observables don't have a UUID and you might pass
  an array of completely unrelated Observables inside a single STIX
  Question, how does a respondent indicate in a *structured* manner
  which `objects` in a STIX Answer correspond to which Observables in
  the original STIX Question?

Good question. In my proposal I allow multiple questions within the doc question object. The idea was that the questions would relate to one single 'topic' - so for instance if you found a new type of malware that connected to a certain IP address and URL, and had a certain file hash, you would send them all together. 

There are alternatives I came up with, namely:
1. Restrict  each STIX question to a single 'topic' of things the question writer thinks are related, OR,
2. Restrict each STIX question to a single observable, OR
3. Add in an identifier for the question observables and identify each one that way, OR
4. Remove the observables and force then too be added as STIX observed data objects. 

The STIX question was intended to ask 'does anyone have any information they think is related to X'. #1 is closest to that target, and the way I chose to do it in the proposal. 

Any STIX answers that the recipient receives should be related to the STIX question in some way, but it is up to the recipient to determine if they trust that they are. The STIX answers are still only assertions made by the object creators and therefore are possibly related to the STIX question originally asked.

I think if we say that creators of STIX answers must only include answers that they believe answer the questions asked in the related STIX question it may be good enough.

* Since `question` and `answer` are STIX SDOs, they'll be passed
  around via TAXII inside of a STIX Bundle. Directly embedding other
  SDOs inside their respective Question/Answer SDOs, which are then
  embedded inside a STIX Bundle seems weird.

They aren't SDOs. They are STIX objects, but they are 'message type' objects, similar to a STIX bundle. The idea was that TAXII would pass around the 3 different 'message types' (STIX bundle, STIX question, STIX answer) in the same way.

Cheers 
Terry MacDonald 
Cosive


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]