[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
In regards to forcing a controlled vocab in STIX 2, I am torn. A controlled vocab would make STIX easier for software developers, but more difficult for product owners who are trying to push the boundaries of STIX within their products. Just the other
day I was working on a proposal that had us doing something different with STIX that required us to release a few custom vocab entries. However, I could argue against custom vocabs as I have seen implementations of STIX that do not understand the whole concept
of including additional XSDs in the namespace/header portion of the XML document.
Aharon
From: <cti-users@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
Date: Thursday, October 22, 2015 at 1:14 PM To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com> Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org> Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions It would be nice to understand what software is doing with the field. Does it show up in the UI as a sort/filter? Do you base processing on it?
I heard a recent proposal to remove it entirely. What would be the impact of that?
John
From: <cti-users@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, October 22, 2015 at 1:10 PM To: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com> Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org> Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions I would agree, but the spec currently lets you put in any string. Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. You can probably enumerate the benefits in your circumstances better than anyone outside of your situation. The value of controlling the vocabulary should translate into a benefit to your users and provide an incentive for adoption. Others will want to discuss adopting an ontology to control handling of indicators based on type. While my first thought is “There be dragons” (https://en.wikipedia.org/wiki/Here_be_dragons) it’s also true that an indicator type might not be as challenging as other ontologies. Are you able to describe how the indicator type affects the way you understand or treat the indicator? I have built ontologies and found it interesting work, but it’s definitely non-trivial. I’d like to hear more about how you proceed. Cliff Palmer From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jason Keirstead Sent: Thursday, October 22, 2015 11:18 AM To: cti-users@lists.oasis-open.org Subject: [cti-users] Indicator Type / Vocabulary Implementation Questions HI all, I am producing some new STIX content in an automated fashion, and am looking for feedback on my planned usage of indicator types: "The default vocabulary type is IndicatorTypeVocab-1.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field." @see http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/ So essentially, I can stick to the default vocabulary, *OR* I can define my own vocabulary, *OR* I can use it as a free-form string. The problem i have with the default vocabulary, is this list is very restrictive, and there is no "Other" type. First question - Has there ever been thought to extending this vocabulary, or adding an "Other" type that one could then annotate in some way? I haven't seen this question come up on the STIX list. Second question - My other problem is, I can't define a new fixed vocabulary because this is user-generated stuff. I pretty much am stuck with either using the fixed vocabulary, or letting the user type in whatever they want. How many people are sticking to the controlled vocabulary here? If I use this as a free-form string, will it cause some tools to blow up? Anyone have experience here? - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]