I’m going to be sending a series of emails regarding small changes that have been requested in moving from STIX 2.0 to STIX 2.1. The hope is that these won’t be particularly controversial, but if anyone has
any objections to these changes, please speak up.
GITHUB issue #11 (https://github.com/oasis-tcs/cti-stix2/issues/11 )
There has been a suggestion to add “first_seen” and “last_seen” properties onto the relationship object. The Relationship object would then look something like this (with the suggested changes highlighted
in yellow):
3.1.2 Properties
Common Properties
|
type,
id, created_by_ref, created, modified, revoked,
labels, confidence, lang, external_references, object_marking_refs,
granular_markings
|
Relationship Specific Properties
|
relationship_type,
description, source_ref, target_ref
|
Property Name
|
Type
|
Description
|
type (required)
|
string
|
The value of this property
MUST be relationship.
|
relationship_type (required)
|
string
|
The name used to identify the type of Relationship. This value
SHOULD be an exact value listed in the relationships for the source and target SDO, but
MAY be any string. The value of this property MUST be in ASCII and is limited to characters a–z (lowercase ASCII), 0–9, and hyphen (-).
|
description (optional)
|
string
|
A description that provides more details and context about the Relationship, potentially including its purpose and its key characteristics.
|
first_seen
(optional)
|
timestamp
|
The beginning of the time window during which the relationship should be considered valid.
|
last_seen
(optional)
|
timestamp
|
The end of the time window during which the relationship should be considered valid.
|
source_ref (required)
|
identifier
|
The id of the source (from) object. The value
MUST be an ID reference to an SDO (i.e., it cannot point to an SRO, Bundle, or Marking Definition).
|
target_ref (required)
|
identifier
|
The id of the target (to) object. The value
MUST be an ID reference to an SDO (i.e., it cannot point to an SRO, Bundle, or Marking Definition).
|
Does anyone have any objections to making this change?
Sarah Kelley
Senior Cyber Threat Analyst
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
sarah.kelley@cisecurity.org
518-266-3493
24x7 Security Operations Center
SOC@cisecurity.org - 1-866-787-4722
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
. . . . .
|