Re: [cti] Kinds of Sources

["Wunder, John A." <jwunder@mitre.org>]

Hm I think see, yeah.

I’d just reword that last one to make it clear that you’re talking about a source association, not just any relationship between STIX objects. I seems to me like an incident pointing to a CVE isn’t really a source relationship….it’d be more like one report to another report (or one indicator to another indicator, or an indicator to a report, etc).

From: Rich Piazza <rpiazza@mitre.org>
Date: Thursday, February 4, 2016 at 2:26 PM
To: "Wunder, John A." <jwunder@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: RE: [cti] Kinds of Sources

Comments below:

 

From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Wunder, John A.
Sent: Thursday, February 04, 2016 2:18 PM
To: cti@lists.oasis-open.org
Subject: Re: [cti] Kinds of Sources

 

Maybe you want something like “reviewed”? Are the there organizations that will accept an intel stream, review it for…something?…and then pass that along and note that? Or is that more of this opinion/assertion object?

 

This seems like one of the “chain” use case from Bret.  I think this would be handled by relationships.

 

For the “reference” item in Rich’s list, I’d say that could be to either a STIX or to a non-STIX item. I also suspect in most cases this will be an actual content object rather than just an identity.

 

I was hoping to make a distinction between references to non-STIX objects, and my last bullet – source associations between STIX objects, which I was thinking would be handled by relationships.