OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Small changes from 2.0 - 2.1 - dates on relationships


I’m going to be sending a series of emails regarding small changes that have been requested in moving from STIX 2.0 to STIX 2.1. The hope is that these won’t be particularly controversial, but if anyone has any objections to these changes, please speak up.

 

GITHUB issue #11 (https://github.com/oasis-tcs/cti-stix2/issues/11 )

 

There has been a suggestion to add “first_seen” and “last_seen” properties onto the relationship object.  The Relationship object would then look something like this (with the suggested changes highlighted in yellow):

 

3.1.2   Properties

Common Properties

type, id, created_by_ref, created, modified, revoked, labels, confidence, lang, external_references, object_marking_refs, granular_markings

Relationship Specific Properties

relationship_type, description, source_ref, target_ref

Property Name

Type

Description

type (required)

string

The value of this property MUST be relationship.

relationship_type (required)

string

The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the relationships for the source and target SDO, but MAY be any string. The value of this property MUST be in ASCII and is limited to characters a–z (lowercase ASCII), 0–9, and hyphen (-).

description (optional)

string

A description that provides more details and context about the Relationship, potentially including its purpose and its key characteristics.

first_seen (optional)

timestamp

 

The beginning of the time window during which the relationship should be considered valid.

 

last_seen (optional)

timestamp

 

The end of the time window during which the relationship should be considered valid.

 

source_ref (required)

identifier

The id of the source (from) object. The value MUST be an ID reference to an SDO (i.e., it cannot point to an SRO, Bundle, or Marking Definition).

target_ref (required)

identifier

The id of the target (to) object. The value MUST be an ID reference to an SDO (i.e., it cannot point to an SRO, Bundle, or Marking Definition).

 

Does anyone have any objections to making this change?

 

 

Sarah Kelley

Senior Cyber Threat Analyst

Multi-State Information Sharing and Analysis Center (MS-ISAC)                   

31 Tech Valley Drive

East Greenbush, NY 12061

 

sarah.kelley@cisecurity.org

518-266-3493

24x7 Security Operations Center

SOC@cisecurity.org - 1-866-787-4722

 

                  

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]