[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Small changes from 2.0 - 2.1 - Add a normative requirement for timestamps
GITHUB issue #13 (https://github.com/oasis-tcs/cti-stix2/issues/13 ) A comment received during the CSD comment period for STIX 2.0 pointed out that we currently have no normative statements stating that when we have a “first_*” timestamp and a “last_*” timestamp, that the “first_*”
MUST come before the “last_*. Currently what this means is that it would be valid STIX 2.0 to have a “last_seen” that was five years prior to the corresponding “first_seen”. We currently have these timestamp pairs (first, last) on the following SDOs (in STIX 2.0): Campaign Intrusion Set Observed Data Sighting There is also a proposal to add “first_seen” and “last_seen” to the Relationship SRO (for STIX 2.1).
Are there any objections to adding normative text along the lines of: “If both first_seen and last_seen are present on the object, first_seen
MUST come before last_seen” Please chime in if there are any objections to adding text in this manner.
Thanks, Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC) 31 Tech Valley Drive East Greenbush, NY 12061 518-266-3493 24x7 Security Operations Center SOC@cisecurity.org - 1-866-787-4722 . . . . . |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]