[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Are we following the F2F process?
Hi Terry and John, Sean and I are putting together a status page for the current tranche – see
https://github.com/STIXProject/specifications/wiki/Indicator-Tranche-Working-Page I’m adding columns, including one for the github issues. I’d like to include links to the latest TWIGS write-ups for each topic. Where is the latest TWIGS stuff? Rich From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
On Behalf Of Terry MacDonald I have a question. I was thinking about this earlier today. I understood that the agreement at the last face-2-face meeting
was that TWIGS was going to be used as the general basis for STIX v2.0, and that we would then go through the sections one by one to determine if there were improvements that could be made, and that we could reach consensus. I cannot comment as I was unable
to attend the F2F. Can anyone confirm my understanding is correct? If so, then this doesn’t appear to have been reflected in the proposed normative texts that I’ve seen. Don’t get me wrong
– I believe that the recent progress has been excellent, but I am worried that the process to create the initial content of the current proposals we are seeing isn’t following this agreement. If TWIGS were going to be the base, wouldn’t we point to the section within the TWIGS document (so people can see how it
all fits together in the whole context of TWIGS), move the TWIGS section over to the CTI/STIX document, convert it to normative statements, and then whomever wishes can propose whatever changes they would like to see to that normative text? If my understanding as to the agreement formed at the F2F is incorrect, please correct me and I’ll get back in my box
J. Note: This is not directed at anyone in particular. This is directed at all of us in the community that produce proposals.
I am only enquiring if as a group we are correctly following the process agreed at the F2F.
Anyone have answers? Cheers Terry MacDonald Senior STIX Subject Matter Expert SOLTRA | An FS-ISAC
and DTCC Company +61 (407) 203 206 |
terry@soltra.com From:
cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
On Behalf Of Barnum, Sean D. Refactoring of the Report object based on our breaking out of relationships is one of the issues that we seem to have general
consensus on but have not yet agreed to normative text. Proposed normative text is now available for your review in the
STIX 2.0 Specification Pre-draft document. It is fairly straightforward and should not take long to consider. Please review the normative text and add comments to the document for any concerns, questions or ideas you may have. If we do not see any significant concerns/objections to the normative text by Monday we will consider this issues to have
officially achieved consensus and move on to others. For the quick convenience of anyone having difficulty accessing the live specification pre-draft document the relevant text
is included below.
Report Object
The Report Object is a mechanism for relating a collection of STIX TLOs together according to some shared context.
Inherited Fields
The Indicator object would inherit the
CTI Core Properties and the
CTI Descriptive Properties.
Proposed Fields
Example
(using only created_by_ref for brevity)
{
"type": "package",
"id": "package--44af6c39-c09b-49c5-9de2-394224b04982",
"sources":
{
"type": "identity",
"id": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
"name": "Symantec",
}
],
"reports": [
{
"type": "report",
"id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
"created_at": "2015-12-21T19:59:11.000000+00:00",
"title": "The Black Vine Cyberespionage Group",
"description": "A simple report with an indicator, campaign and a relationship between them",
"intents": ["Threat Report"],
"created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
}
],
"indicators": [
{
"type": "indicator",
"id": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
"created_at": "2015-12-21T19:59:17.000000+00:00",
"title": "Some indicator",
"indicator_types": ["IP Watchlist"],
"created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
}
],
"campaigns": [
{
"type": "campaign",
"id": "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
"created_at": "2015-12-21T19:59:17.000000+00:00",
"title": "Some Campaign",
"created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
}
],
"relationships": [
{
"type": "relationship",
"id": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
"created_at": "2015-12-21T19:59:17.000000+00:00",
"from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
"to": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
"relationship_nature": "Report Contains",
"created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
},
{
"type": "relationship",
"id": "relationship--72f666b6-f1db-4b2c-82e3-71ab49a84be1",
"created_at": "2015-12-21T19:59:17.000000+00:00",
"from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
"to": "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
"relationship_nature": "Report Contains",
"created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
},
{
"type": "relationship",
"id": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
"created_at": "2015-12-21T19:59:17.000000+00:00",
"from": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
"to": "campaign--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
"relationship_nature": "Related Campaign",
"created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
},
{
"type": "relationship",
"id": "relationship--a05d8c6a-ccea-4a0a-a8e0-68dfe85fbfa9",
"created_at":"2015-12-21T19:59:17.000000+00:00",
"from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
"to": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
"relationship_nature": "Report Contains",
"created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
},
]
}
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]