[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Re: Observable Patterning
>- Human readable
Agreed.
>- Machine friendly (parsing/computation, algorithmically friendly)
Agreed.
>- Data graph friendly
Not so sure on this one.
While I agree that STIX/TAXII querying (wherever it ends up) is inherently graph-based, I don’t believe the same is true for Indicator patterning. The main difference is that, in my view, the majority of Indicator patterns are meant to be parsed and executed
against data that is inherently flat – lists of files, lists of processes, lists of IP addresses, etc. Thus while the two may overlap in certain places, I’d be very hesitant about overloading an Indicator patterning structure to support graph based querying,
though perhaps it could be extended to do so. Again, I think a primary focus here should be to keep Indicator patterns SIMPLE, so that they can easily be written and consumed by analysts.
Regards,
Ivan
From: Jerome Athias
Date: Saturday, September 26, 2015 at 12:38 PM To: Patrick Maroney Cc: Terry MacDonald, "cti@lists.oasis-open.org", Ivan Kirillov Subject: Re: [cti] Re: Observable Patterning so should we try to capture the requirements in one place for this change request?
Quickly:
- Human readable
- Machine friendly (parsing/computation, algorithmically friendly)
- Data graph friendly
2015-09-26 17:57 GMT+03:00 Patrick Maroney
<Pmaroney@specere.org>:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]