Sending this to the broader CTI list since it’s part of the STIX/CybOX Indicator tranche.
Here’s a summary of the status of the refactoring of the most commonly used CybOX Objects (based on CTI-stats). Please let us know if you don’t agree with the consensus status for Address and File, and also if you have any input on their open questions.
- Address Object
- Artifact Object
- Not discussed yet
- May require some changes
- Domain Name
- Not discussed yet
- Likely requires very little in the way of changes
- Email Message
- Not discussed yet
- May require some changes; we’re considering creating a base “Message” Object for use in Email Message as well as SMS Message
- File Object
- Proposal: https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-File-Object-Refactoring
- Consensus largely reached
- Open questions:
- Are there any additional properties that belong in the base set of properties or basic set of file system properties?
- Which default extensions should be included with the Object?
- Current proposed list:
- File Metadata
- EXT3 File
- NTFS File
- Image File (based on existing Image File Object)
- PDF File (based on existing PDF File Object)
- Archive File (based on existing Archive File Object)
- PE Binary File (based on existing Windows Executable File Object)
- Hostname
- Not discussed yet
- Likely requires very little in the way of changes
- HTTP Session
- Not discussed yet
- May require some significant refactoring, related to the refactoring of Network Connection
- Link
- Not discussed yet
- Likely requires very little in the way of changes
- Memory
- Not discussed yet
- May require some changes
- Mutex
- Not discussed yet
- Likely requires very little in the way of changes
- Network Connection
- Not discussed yet; proposal forthcoming
- May require significant refactoring
- PDF File
- Not discussed yet
- May require some changes; likely to be included as an extension of the File Object
- Port
- Not discussed yet
- Likely requires very little in the way of changes
- URI
- Not discussed yet
- Likely requires very little in the way of changes
- WhoIS
- Not discussed yet
- May require some changes
- Windows Executable File
- Windows Registry Key
- Not discussed yet
- Likely requires very little in the way of changes
Accordingly, I would propose grouping and timeboxing the refactoring discussions as such:
- Network Object Refactoring – Network Connection and HTTP Session
- Messaging Object Refactoring – Email Message and SMS Message
- Other Atomic Network Object Refactoring – Domain Name, Hostname, Port, URI, and Link
- Host Object Refactoring – Windows Executable File, Windows Registry Key, PDF File, and Mutex
- Other Object Refactoring – WhoIS and Artifact
Regards,
Ivan