Sarah – generally agree with slight modification to the proposed text.
“If both first_seen and last_seen are present on the object, last_seen MUST be more recent or equal to first_seen”
Allan
From: "cti-stix@lists.oasis-open.org
" <cti-stix@lists.oasis-open.org > on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org>
Date: Wednesday, August 30, 2017 at 7:33 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org >
Subject: [cti-stix] Small changes from 2.0 - 2.1 - Add a normative requirement for timestamps
GITHUB issue #13 (https://github.com/oasis-tcs/
cti-stix2/issues/13 )
A comment received during the CSD comment period for STIX 2.0 pointed out that we currently have no normative statements stating that when we have a “first_*” timestamp and a “last_*” timestamp, that the “first_*” MUST come before the “last_*. Currently what this means is that it would be valid STIX 2.0 to have a “last_seen” that was five years prior to the corresponding “first_seen”.
We currently have these timestamp pairs (first, last) on the following SDOs (in STIX 2.0):
Campaign
Intrusion Set
Observed Data
Sighting
There is also a proposal to add “first_seen” and “last_seen” to the Relationship SRO (for STIX 2.1).
Are there any objections to adding normative text along the lines of:
“If both first_seen and last_seen are present on the object, first_seen MUST come before last_seen”
Please chime in if there are any objections to adding text in this manner.
Thanks,
Sarah Kelley
Senior Cyber Threat Analyst
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
518-266-3493
24x7 Security Operations Center
SOC@cisecurity.org - 1-866-787-4722
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . . . .
