[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] CybOX Containers in STIX
On 29.06.2016 15:25:59, Wunder, John A. wrote: > Observation: https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.b2frlbuolfj > Please remind me why the `cybox` field is optional on a STIX Observation. Seems like an Observation without a CybOX payload is pointless. > > Sighting: https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.k017w16zutw > Looks good to me. > Note that everything in the “cybox” key will be defined by the CybOX > specification. In CybOX, that type is currently defined here: > https://docs.google.com/document/d/1PSGv6Uvo3YyrK354cH0cvdn7gGedbhYJkgNVzwW9E6A/edit#heading=h.2p8taumnmgqi > If we go with directly embedding CybOX in the STIX Observation, then that CybOX type definition will have to change. We may do away with the CybOX Container (née ArgleBargle) altogether but we should still define in CybOX what are the allowable top-level keys inside of a STIX Observation's `cybox` field; currently this would be: * `objects` => array of type cybox-object (optional) * `actions` => array of type cybox-action (optional) Does everyone agree that what is allowable inside the STIX Observation's `cybox` field gets defined over in CybOX land? -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "It is easier to move a problem around (for example, by moving the problem to a different part of the overall network architecture) than it is to solve it." --RFC 1925
Attachment:
signature.asc
Description: Digital signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]