Re: [cti] Kinds of Sources

["Barnum, Sean D." <sbarnum@mitre.org>]

Great conversation everyone.

Just wanted to let you know that this is not stagnating.

I am back from the SANS CTI Summit and working on catching up, trying to figure out how to make progress on these issues and pulling together normative text where we can.

I am doing a lot of thinking and talking with some folks on this issue in particular.

It is looking like the issue of source, the issue of external_ids and next weeks main focus of identity-based objects are all beginning to coalesce together to some degree. I think solving any one of them in a good way will likely involve finding a way to solve all of them coherently.

I should have some thoughts out soon on this that I hope might move us forward.

sean

From: <cti@lists.oasis-open.org> on behalf of "ppatrick@isightpartners.com" <ppatrick@isightpartners.com>
Date: Thursday, February 4, 2016 at 8:41 PM
To: Rich Piazza <rpiazza@mitre.org>
Cc: John Wunder <jwunder@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Kinds of Sources

Comments inline

Sent from my iPhone

On Feb 4, 2016, at 1:26 PM, Piazza, Rich <rpiazza@mitre.org> wrote:

Comments below:

 

From:cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Wunder, John A.
Sent: Thursday, February 04, 2016 2:18 PM
To: cti@lists.oasis-open.org
Subject: Re: [cti] Kinds of Sources

 

Maybe you want something like “reviewed”? Are the there organizations that will accept an intel stream, review it for…something?…and then pass that along and note that? Or is that more of this opinion/assertion object?

 

This seems like one of the “chain” use case from Bret.  I think this would be handled by relationships.

Paul> I would agree that this would be in a chain

 

For the “reference” item in Rich’s list, I’d say that could be to either a STIX or to a non-STIX item. I also suspect in most cases this will be an actual content object rather than just an identity.

 

I was hoping to make a distinction between references to non-STIX objects, and my last bullet – source associations between STIX objects, which I was thinking would be handled by relationships.