Indicator Type / Vocabulary Implementation Questions

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

HI all, I am producing some new STIX content in an automated fashion, and am looking for feedback on my planned usage of indicator types:

As with many things STIX, the way you do this is so wide open, it makes implementation decisions difficult

"The default vocabulary type is IndicatorTypeVocab-1.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field."

        @see http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/

So essentially, I can stick to the default vocabulary, *OR* I can define my own vocabulary, *OR* I can use it as a free-form string.

The problem i have with the default vocabulary, is this list is very restrictive, and there is no "Other" type. 

First question - Has there ever been thought to extending this vocabulary, or adding an "Other" type that one could then annotate in some way? I haven't seen this question come up on the STIX list.

Second question - My other problem is, I can't define a new fixed vocabulary because this is user-generated stuff. I pretty much am stuck with either using the fixed vocabulary, or letting the user type in whatever they want. How many people are sticking to the controlled vocabulary here? If I use this as a free-form string, will it cause some tools to blow up? Anyone have experience here?



-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown