Re: [cti] Update from STIX Package renaming Mini-Group

On May 3, 2016, at 10:08, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

Open question - adding an identifier "so that it can be tracked", implies that it SHOULD be tracked.

As an implementer - why do I need to track bundles, as all a bundle is is a whole bunch of content that may or may not be related?

I would argue that we should not encourage the storage or tracking of the bundle structure, and therefore they should not have IDs.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

<graycol.gif>Allan Thomson ---05/03/2016 12:23:49 PM---As discussed on the call today I would like to propose that we add an identifier attribute for the b

From: Allan Thomson <athomson@lookingglasscyber.com>
To: Mark Davidson <mdavidson@soltra.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 05/03/2016 12:23 PM
Subject: Re: [cti] Update from STIX Package renaming Mini-Group
Sent by: <cti@lists.oasis-open.org>

As discussed on the call today I would like to propose that we add an identifier attribute for the bundle so that it can be tracked.

{
"type": "bundle",
"spec_version": "stix-2.0”,
“id”: “bundle--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"
"indicators": [
{
"type": "indicator",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_time": "2016-04-29T14:09:00.123456Z",
"revision": 1,
"modified_time: "2016-04-29T14:09:00.123456Z",
"object_marking_refs": ["marking-definition--089a6ecb-cc15-43cc-9494-767639779123"],
"title": "Poison Ivy Malware",
"description": "This file is part of Poison Ivy",
"pattern": "file-object.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3'"
}
],
{
"type": "marking-definition",
"id": "marking-definition--089a6ecb-cc15-43cc-9494-767639779123",
"created_time": "2016-02-19T09:11:01Z",
"definition_type": "tlp",
"definition": {
"tlp": "GREEN"
}
}
}

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Mark Davidson <mdavidson@soltra.com>
Date: Friday, April 29, 2016 at 9:56 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Update from STIX Package renaming Mini-Group

All,

Here is a quick update from the STIX Package name mini-group. The mini group is proposing:
Renaming STIX-Package to STIX-Bundle
STIX-bundle is simply a transport container
STIX-Bundle is a grouping of STIX content that isn’t required to be related (it MIGHT be related, but being in the same bundle doesn’t mean it’s related)
Removing all TLO Common Properties (with an open question about Data Markings)
Removed properties: id, created_by_ref, created_time, revision, modified_time, revoked, revision_comment, confidence, object_markings_refs, granular_markings

STIX-Bundle will keep the `spec_version` property
All content in the bundle MUST be the same STIX version (identified by spec_version)
There is an open question about whether Data Markings should be in the STIX-Bundle. Arguments for keeping it are:
The group seemed to have consensus that Bundle-level markings were desired, but evidence was difficult for the mini-group to find.
Certain sharing communities would appreciate the simplicity of package marking.
It makes objects look smaller and is more natural for people who are new to the specs
Arguments for removing it are:
Data Marking at the bundle level is “two ways of doing things” - on-the-object markings and on-the-bundle markings
TLO signatures will not be valid when the Bundle-level markings are used

Thank you.
-Mark

cti message