Re: [cti] STIX RC3 - issues.

["Kirillov, Ivan A." <ikirillov@mitre.org>]

As Trey and John have pointed out, the use cases around extensions (which are an intrinsic part of the Cyber Observable Objects) vs. custom properties are different. Accordingly, we’ve tried to add text specifying when each should be used:

 

“””

Custom properties SHOULD be used for cases where it is necessary to add one or more simple additional properties on an Observable Object, with the expectation that these properties are unlikely to be standardized in the future. On the other hand, custom Object extensions SHOULD be used for cases where it is necessary to describe more complex additional properties (i.e., those with multiple potential levels of hierarchy) that may end up being standardized in the future. As an example, a property that expresses some custom threat score for a File Object should be added directly to the Observable Object as a custom property, whereas a set of properties that represent metadata necessary to add support for a new file system to the File Object should be done as a custom extension.

“””

 

I can see the need for allowing custom properties, but IMO we *must* continue supporting custom extensions to allow for the broad range of use cases we’ve envisioned for our Cyber Observable Objects. For example, as part of MAEC 5.0, we’ve developed a custom extension for the File Object that allows for the capture of AV classification results for said file. If custom extensions were not permitted, we would have to go and capture these results independently of the file, making life more difficult for both producers and consumers.

 

Regards,

Ivan

 

From: <cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Monday, November 14, 2016 at 6:41 AM
To: Eric Burger <Eric.Burger@georgetown.edu>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] STIX RC3 - issues.

 

Just wanted to respond to this…both of these approaches are new in 2.0 and therefore neither have any use yet.

 

From: <cti@lists.oasis-open.org>, Eric Burger <ewb25@georgetown.edu> on behalf of Eric Burger <Eric.Burger@georgetown.edu>
Date: Friday, November 11, 2016 at 7:39 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] STIX RC3 - issues.

 

Does anyone use the CybOX way? If not, you know what I will ask to deprecate.

 

On Nov 10, 2016, at 8:24 PM, Bret Jordan (CS) <Bret_Jordan@symantec.com> wrote:

 

I have noticed that Parts 3a/3b allow the Cyber Observables part to be extended in two ways.  Originally in STIX, if you wanted to add your own properties you could, via the Custom Properties feature.  CybOX did this a different way, and choose to do it via a Custom Extension.  Now that CybOX has been merged in to STIX, CybOX has inherited the ability to also do Custom Properties.  So now the Cyber Observable layer has two different and distinct ways that it can be extended..

 

Bret