[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
1) We should establish a review/enhancement/update process for the default controlled vocabularies. (reuse was good but needs to evolve) 2) Tools should not cry, but 'Other' in general will lead to bad scenarios (bad statistics/metrics and automation...) Note that use of an Ontology (where 'synonyms' are defined) would help solving this issue. 2015-10-22 18:18 GMT+03:00 Jason Keirstead <Jason.Keirstead@ca.ibm.com>: > HI all, I am producing some new STIX content in an automated fashion, and am > looking for feedback on my planned usage of indicator types: > > As with many things STIX, the way you do this is so wide open, it makes > implementation decisions difficult > > > "The default vocabulary type is IndicatorTypeVocab-1.1 in the > http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined > in the stix_default_vocabularies.xsd file or at the URL > http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. > Users may also define their own vocabulary using the type extension > mechanism, specify a vocabulary name and reference using the attributes, or > simply use this as a string field." > > > @see > http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/ > > So essentially, I can stick to the default vocabulary, *OR* I can define my > own vocabulary, *OR* I can use it as a free-form string. > > The problem i have with the default vocabulary, is this list is very > restrictive, and there is no "Other" type. > > First question - Has there ever been thought to extending this vocabulary, > or adding an "Other" type that one could then annotate in some way? I > haven't seen this question come up on the STIX list. > > Second question - My other problem is, I can't define a new fixed vocabulary > because this is user-generated stuff. I pretty much am stuck with either > using the fixed vocabulary, or letting the user type in whatever they want. > How many people are sticking to the controlled vocabulary here? If I use > this as a free-form string, will it cause some tools to blow up? Anyone have > experience here? > > > > - > Jason Keirstead > Product Architect, Security Intelligence, IBM Security Systems > www.ibm.com/security | www.securityintelligence.com > > Without data, all you are is just another person with an opinion - Unknown >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]