[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-stix] Grouping SDO Open Questions
Hey Sean, Can you provide some examples on what would be in the open vocab for context? I think I know what you’re looking for but it would be helpful to get some concrete examples to look at. Thanks, -Gary From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Sean Barnum 1) I agree that it is currently unclear how Classification Object would appropriately support validation information. I would support leaving it alone for now. 2) I believe we should keep Grouping and Report as separate objects. 3) To clarify, the suggestion is that “context” would be an open vocabulary not simply another open string like description. This would help improve consistency for common contexts but also enable the _expression_ of more custom or esoteric contexts. Given this and with a clear definition for the “context” property I do not believe it should be confusing. I would disagree with changing the description for “description” to specify it should be used for constructive rather than informative purposes. I think that would be a very major change to the way description has been envisioned and is very likely to be used. We continue to assert that this explicit context property is necessary for the practical usefulness of Grouping objects for collaborative intel sharing/evolution. Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com From: <cti-stix@lists.oasis-open.org> on behalf of "Kirillov, Ivan A." <ikirillov@mitre.org> My thoughts:
Regards, Ivan From: <cti-stix@lists.oasis-open.org> on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org> I think the Grouping object looks fairly good. My thoughts: 1) The classification object is currently being discussed as a way to convey risk. This doesn’t seem to align (currently) with if the data is ‘validated’ or not. I would say leave it alone for now, but if the classification proposal changes in the future, we can revisit this decision. 2) I think we’ve already agreed they should be separate, once we make that call, we shouldn’t reopen it unless there is a VERY good reason to do so 3) I can understand with the desire for the shared context field, but I agree with John. I think people won’t know when to use which and it will be confusing. Plus, what would you put in the description of a grouping if not the description of why you made the group (aka the context)? Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC) 31 Tech Valley Drive East Greenbush, NY 12061 518-266-3493 24x7 Security Operations Center SOC@cisecurity.org - 1-866-787-4722 From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org> Hey all, I wanted to get the Grouping SDO out there for another round of reviews. To remind everyone, this is an SDO similar to Report but targeted less at finished reports that you would publish as a PDF and more at ad-hoc collections/groupings of intelligence that may not even be fully validated. This was a use case initially requested by MISP, then supported by FireEye. I believe we’re approaching consensus on a few discussion topics:
There are still a few open questions:
Please let us know what you think about those open questions. My opinions:
John
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]