OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Relationship object - name property

I feel like we can get rid of name, since relationship_type will cover that.


I would prefer to keep “description”. A lot of relationships will be analyst-generated and it would be nice to be able to have some narrative text further explaining them. As an example, if a threat-actor is related to another threat-actor you could explain how they’re related and provide some background beyond just saying they’re related (which is not super useful on its own).




From: Bret Jordan <bret.jordan@bluecoat.com>
Date: Wednesday, August 10, 2016 at 5:19 PM
To: "Wunder, John A." <jwunder@mitre.org>
Cc: Greg Back <gback@mitre.org>, Terry MacDonald <terry.macdonald@cosive.com>, Paul Patrick <Paul.Patrick@fireeye.com>, "Kemp, David P" <dpkemp@nsa.gov>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Relationship object - name property


If we go back to using "relationship_type", do we still need "name" and "description" ?








Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 


On Aug 10, 2016, at 15:15, Wunder, John A. <jwunder@mitre.org> wrote:


Unless anyone has any objections I’ll go through the documents tomorrow and make this update.

On 8/10/16, 5:14 PM, "Back, Greg" <gback@mitre.org> wrote:

   Agreed. There's also type, definition_type, and definition properties on marking-definition objects, so it's not unprecedented (and actually rather consistent).


-----Original Message-----
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of
Wunder, John A.
Sent: Wednesday, August 10, 2016 3:25 PM
To: Terry MacDonald <terry.macdonald@cosive.com>; Paul Patrick
Cc: Kemp, David P <dpkemp@nsa.gov>; cti@lists.oasis-open.org
Subject: Re: [cti] Relationship object - name property

Agreed. I think our reservations about having both “type” and
“relationship_type” are probably very minor compared to the extra clarity
this would bring.

From: <cti@lists.oasis-open.org> on behalf of Terry MacDonald
Date: Wednesday, August 10, 2016 at 4:19 PM
To: Paul Patrick <Paul.Patrick@fireeye.com>
Cc: "Kemp, David P" <dpkemp@nsa.gov>, "cti@lists.oasis-open.org"
Subject: Re: [cti] Relationship object - name property

That makes sense to me to change the field from name to relationship-type,
and would potentially help differentiate the SROs from the SDOs.

Terry MacDonald

On 9/08/2016 3:30 AM, "Paul Patrick" <Paul.Patrick@fireeye.com
<mailto:Paul.Patrick@fireeye.com> > wrote:

            For a relationship, I agree with David that ‘relationship-type’ would
be better than name

            Paul Patrick

            On 8/8/16, 11:17 AM, "cti@lists.oasis-open.org
<mailto:cti@lists.oasis-open.org>  on behalf of Kemp, David P"
<cti@lists.oasis-open.org <mailto:cti@lists.oasis-open.org>  on behalf of
dpkemp@nsa.gov <mailto:dpkemp@nsa.gov> > wrote:

               "Threat Actor A" and "Threat Actor B" are vertex unique identifiers
which (I assume) would be carried in the name field of those vertices.
"related-to" is a class of edge but does not identify a specific edge, so I'd
think that "label" or "relationship-type" is more appropriate than "name".

                Is an edge uniquely identified by anything other than two vertex
IDs?   If not, edges would not have names.


            This email and any attachments thereto may contain private,
confidential, and/or privileged material for the sole use of the intended
recipient. Any review, copying, or distribution of this email (or any
attachments thereto) by others is strictly prohibited. If you are not the
intended recipient, please contact the sender immediately and permanently
delete the original and any copies of this email and any attachments thereto.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]