[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Location - Administrative_Area (RE: [cti] Groups - OASIS-CTI-TC_WorkingSession_August8_2017.pdf uploaded)
Hi Ryu, Yeah, I know the working call meeting times are not great for everyone, that’s why it’s important to have conversations like this on the list as well. We can make a lot of
progress on the working calls, but we always need to validate what we do with the broader list. We do try to make sure that things we add to STIX are in use…not necessarily the exact implementation, but certainly the overall concept. In this case, while a lot of people
capture administrative area it wasn’t really clear that anyone was using something like 3166-2 to do so other than AIS. Also to your point on normalization, we did talk through the use case for correlation based on administrative area in a location. The point that was brought up was that if
you really need more local correlation you’re much better off using postal code than anything else…administrative area isn’t a commonly-used concept in some places (e.g. Belgium) and even in places where it is used (e.g. U.S.) the postal code is much more
specific (it helps solve the problem for city in addition to administrative area) and usable. There’s even canonical data sources for it available from the national/federal government in many cases. Administrative area was more likely to be presented to an
analyst so they understand where the postal code is. John
From: <cti-stix@lists.oasis-open.org> on behalf of "Masuoka, Ryusuke" <masuoka.ryusuke@jp.fujitsu.com> John, all,
Thank you for your input. Sorry that I could not attend the teleconference. (I tried to continue to attend regular teleconferences when standard time started, but I got sick after attending a couple of times teleconferences starting from one o’clock in the morning. I thought I will come back to the regular teleconferences when the summer
time starts, but then it was moved to 3 o’clock in the morning and I gave up.) > We talked about the specific usage for administrative area. Nobody on the call could recall seeing them anywhere other than in AIS,
> so separate from the copyright issues the group on the working call had consensus to not reference them for administrative area.
> If anyone has some other suggestions here (I’ve
noted Ryu’s suggestion to use ISO 3166-2 here) let us know. Is it a requirement for new things to be added to STIX 2.x that many people have seen it in use?
I have not seen many of the things introduced to STIX 2.x before. I have not seen even many of the STIX 1.x elements used beyond what OpenIoC can express. … and that concerns me.
Administrative Area is actually used in AIS and I heard the users (ISACers) mention that
It would be good source for determining the CTI’s relevance to them.
But the merit would not be materialized If we do not standardize its content. (It does not have to be ISO 3166-2 as long as it is machine-understandable.) If we let people to put anything in it, it can be *Maryland*, *MD*, *US-MD*,
*The State of Maryland*, … and there will be no way for machine to determine What it really means in a robust way.
Regards, Ryu P.S. I am taking Aug. 11 – 22 off and please understand my responses may be late.
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Wunder, John A. Hi Ryu, all, Thanks for the input. So everyone understands what we discussed on the working call:
In the meantime, the best word we have about the usage of ISO is what Mr. Hagan passed along from the ISO representative. OASIS is also planning to weigh in, but the expectation
at this point is that we’ll hear that both the language codes and the 3166 codes are under copyright and there’s no free usage. Thanks, John From: <cti-stix@lists.oasis-open.org> on behalf of "Masuoka, Ryusuke" <masuoka.ryusuke@jp.fujitsu.com> Hi,
I found the following in the minutes. ----- Rich I believe if we say country as a SHOULD
– then all will do If we are going to entertain Ryu’s
suggestion for ISO codes for Admin areas – that is A separate issue. That is a big corpus of data ----- It (ISO codes for Aministrative_Area) is a current requirement
of AIS STIX (“AIS
STIX Profile” p. 29 -
https://www.us-cert.gov/sites/default/files/ais_files/AIS_Submission_Guidance_Appendix_A.pdf) for STIX 1.1. My suggestion is to keep it for STIX 2.x when there is Administrative_Area in the STIX. Textual address can be in the
“Street_Address”
and other fields. If it is in ISO 3166-2 (and there is no problem using ISO in the STIX standard), then it should be a great source of useful semantics for
CTI consumers to determine how relevant the CTI is for them. (I learned this from ISACers at the Cybersecurity Standards User
Council Open Forum before Borderless Cyber USA.) > That is a big corpus of data It is not really so
“big”
at all. We found a CSV file of ISO 3166-2 at
https://raw.githubusercontent.com/lukes/ISO-3166-Countries-with-Regional-Codes/master/all/all.csv and it was a matter of two hours of development to create
a UI where a user can select the country name and
then the system present the administrative area in
human understandable name for the user to select,
then to put the information (country code in ISO-3166-1 Alpha-2 and administrative area in ISO-3166-2) in STIX. Regards, Ryu From:
cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
On Behalf Of Jane Ginn Submitter's message
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]