[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Re: Observable Patterning
Comments inline
From: <cti@lists.oasis-open.org> on behalf of Steve Cell <ikirillov@mitre.org>
Date: Monday, September 28, 2015 at 9:36 AM To: Jerome Athias <athiasjerome@gmail.com>, Patrick Maroney <Pmaroney@Specere.org> Cc: Terry MacDonald <terry.macdonald@threatloop.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: Re: [cti] Re: Observable Patterning >- Human readable
Agreed.
[sean]As human readable as possible I would agree with.
>- Machine friendly (parsing/computation, algorithmically friendly)
Agreed.
[sean]Agree
>- Data graph friendly
Not so sure on this one.
While I agree that STIX/TAXII querying (wherever it ends up) is inherently graph-based, I don’t believe the same is true for Indicator patterning. The main difference is that, in my view, the majority of Indicator patterns are meant to be parsed and executed
against data that is inherently flat – lists of files, lists of processes, lists of IP addresses, etc. Thus while the two may overlap in certain places, I’d be very hesitant about overloading an Indicator patterning structure to support graph based querying,
though perhaps it could be extended to do so. Again, I think a primary focus here should be to keep Indicator patterns SIMPLE, so that they can easily be written and consumed by analysts.
[sean]I would agree with Ivan here that we may be mixing up topics again by assuming that patterning needs are all the same for observables, indicators, COA parameters, infrastructure characterization, affected software characterization, victim targeting
characterization, and for gross-level querying for STIX content. I think there may be inherent differences in expressing patterns IN the content and expressing patterns ON the content. The latter certainly seems to have value in considering graph-based capabilities.
The former might but it is far less clear.
Regards,
Ivan
From: Jerome Athias
Date: Saturday, September 26, 2015 at 12:38 PM To: Patrick Maroney Cc: Terry MacDonald, "cti@lists.oasis-open.org", Ivan Kirillov Subject: Re: [cti] Re: Observable Patterning so should we try to capture the requirements in one place for this change request?
Quickly:
- Human readable
- Machine friendly (parsing/computation, algorithmically friendly)
- Data graph friendly
2015-09-26 17:57 GMT+03:00 Patrick Maroney
<Pmaroney@specere.org>:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]