Small changes from 2.0 - 2.1 - Add a normative requirement for timestamps

[Sarah Kelley <Sarah.Kelley@cisecurity.org>]

GITHUB issue #13 (https://github.com/oasis-tcs/cti-stix2/issues/13 )

 

A comment received during the CSD comment period for STIX 2.0 pointed out that we currently have no normative statements stating that when we have a “first_*” timestamp and a “last_*” timestamp, that the “first_*” MUST come before the “last_*. Currently what this means is that it would be valid STIX 2.0 to have a “last_seen” that was five years prior to the corresponding “first_seen”.

 

We currently have these timestamp pairs (first, last) on the following SDOs (in STIX 2.0):

Campaign

Intrusion Set

Observed Data

Sighting

 

There is also a proposal to add “first_seen” and “last_seen” to the Relationship SRO (for STIX 2.1).

 

 

Are there any objections to adding normative text along the lines of:

“If both first_seen and last_seen are present on the object, first_seen MUST come before last_seen”

 

 

Please chime in if there are any objections to adding text in this manner.

 

Thanks,

 

 

Sarah Kelley

Senior Cyber Threat Analyst

Multi-State Information Sharing and Analysis Center (MS-ISAC)                   

31 Tech Valley Drive

East Greenbush, NY 12061

 

sarah.kelley@cisecurity.org

518-266-3493

24x7 Security Operations Center

SOC@cisecurity.org - 1-866-787-4722

 

                  

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .