[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Kinds of Sources
Hm I think see, yeah.
I’d just reword that last one to make it clear that you’re talking about a source association, not just any relationship between STIX objects. I seems to me like an incident pointing to a CVE isn’t really a source relationship….it’d be more like one report
to another report (or one indicator to another indicator, or an indicator to a report, etc).
From: Rich Piazza <rpiazza@mitre.org>
Date: Thursday, February 4, 2016 at 2:26 PM To: "Wunder, John A." <jwunder@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: RE: [cti] Kinds of Sources Comments below: From:
cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
On Behalf Of Wunder, John A. Maybe you want something like “reviewed”? Are the there organizations that will accept an intel stream, review it for…something?…and then
pass that along and note that? Or is that more of this opinion/assertion object? This seems like one of the “chain” use case from Bret. I think this would be handled by relationships. For the “reference” item in Rich’s list, I’d say that could be to either a STIX or to a non-STIX item. I also suspect in most cases this
will be an actual content object rather than just an identity. I was hoping to make a distinction between references to non-STIX objects, and my last bullet – source associations between STIX objects, which I was thinking
would be handled by relationships. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]