OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] CybOX Containers in STIX

On 29.06.2016 15:25:59, Wunder, John A. wrote:
> Observation: https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.b2frlbuolfj

Please remind me why the `cybox` field is optional on a STIX
Observation. Seems like an Observation without a CybOX payload is

> Sighting: https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.k017w16zutw

Looks good to me.

> Note that everything in the “cybox” key will be defined by the CybOX
> specification. In CybOX, that type is currently defined here:
> https://docs.google.com/document/d/1PSGv6Uvo3YyrK354cH0cvdn7gGedbhYJkgNVzwW9E6A/edit#heading=h.2p8taumnmgqi

If we go with directly embedding CybOX in the STIX Observation, then
that CybOX type definition will have to change. We may do away with
the CybOX Container (née ArgleBargle) altogether but we should still
define in CybOX what are the allowable top-level keys inside of a STIX
Observation's `cybox` field; currently this would be:

  * `objects` => array of type cybox-object (optional)
  * `actions` => array of type cybox-action (optional)

Does everyone agree that what is allowable inside the STIX
Observation's `cybox` field gets defined over in CybOX land?

Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4  5B9B B30D DD6E 62C8 6C1D
"It is easier to move a problem around (for example, by moving the
problem to a different part of the overall network architecture) than
it is to solve it." --RFC 1925

Attachment: signature.asc
Description: Digital signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]