OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Update from STIX Package renaming Mini-Group

As discussed on the call today I would like to propose that we add an identifier attribute for the bundle so that it can be tracked.

  "type": "bundle",
  "spec_version": "stix-2.0”,
  “id”: “bundle--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"
  "indicators": [
      "type": "indicator",
      "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created_time": "2016-04-29T14:09:00.123456Z",
      "revision": 1,
      "modified_time: "2016-04-29T14:09:00.123456Z",
      "object_marking_refs": ["marking-definition--089a6ecb-cc15-43cc-9494-767639779123"],
      "title": "Poison Ivy Malware",
      "description": "This file is part of Poison Ivy",
      "pattern": "file-object.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3'"
    "type": "marking-definition",
    "id": "marking-definition--089a6ecb-cc15-43cc-9494-767639779123",
    "created_time": "2016-02-19T09:11:01Z",
    "definition_type": "tlp",
    "definition": {
      "tlp": "GREEN"

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Mark Davidson <mdavidson@soltra.com>
Date: Friday, April 29, 2016 at 9:56 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Update from STIX Package renaming Mini-Group


Here is a quick update from the STIX Package name mini-group. The mini group is proposing:
  • Renaming STIX-Package to STIX-Bundle
  • STIX-bundle is simply a transport container
  • STIX-Bundle is a grouping of STIX content that isn’t required to be related (it MIGHT be related, but being in the same bundle doesn’t mean it’s related)
  • Removing all TLO Common Properties (with an open question about Data Markings)
    • Removed properties: id, created_by_ref, created_time, revision, modified_time, revoked, revision_comment, confidence, object_markings_refs, granular_markings
  • STIX-Bundle will keep the `spec_version` property
  • All content in the bundle MUST be the same STIX version (identified by spec_version)
There is an open question about whether Data Markings should be in the STIX-Bundle. Arguments for keeping it are:
  • The group seemed to have consensus that Bundle-level markings were desired, but evidence was difficult for the mini-group to find.
  • Certain sharing communities would appreciate the simplicity of package marking.
  • It makes objects look smaller and is more natural for people who are new to the specs
Arguments for removing it are:
  • Data Marking at the bundle level is “two ways of doing things” - on-the-object markings and on-the-bundle markings
  • TLO signatures will not be valid when the Bundle-level markings are used

Thank you.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]