OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Add last_seen to campaign and intrusion set

Seems to me someone pretty wise in such things had suggested adoption of ISO 8601 representations for time-stamp ranges in our "one-way-of-doing-things" Time-Stamp definitions?

Sorry, couldn't pass up one last opportunity to raise the "endlessly debated" time-stamp topic.

P.S. - I'm actually dead serious, if anyone wants to mount Rocinante* and charge the temporal representation windmill in my stead, the basis of the arguments for time stamp ranges is in the historical discourse.  For the rest, please accept this good natured "poke-in-the-eye" as just that. 😬

"Rocinante is not only Don Quixote's horse, but also his double: like Don Quixote, he is awkward, past his prime, and engaged in a task beyond his capacities"

On Tuesday, November 15, 2016, Wunder, John A. <jwunder@mitre.org> wrote:



One of the suggestions we discussed on the call today was the idea of adding a field “last_seen” to the campaign and intrusion set objects. Those objects currently have a “first_seen” field, which describes the first time activity related to them was observed…the suggestion is of course that you should be able to also describe the last time you saw activity related to that campaign/intrusion set.


One important concern is that we want to make sure the implication is NOT that having a “last_seen” field means the campaign is “over”. The producer would be saying “here’s the last time I saw X”, not “here’s the last time I saw X and I don’t expect to see it again”.


Are there any objections to this, or other considerations that we should think about when defining it? Adding a field this late in the game needs to be done carefully and we want to make sure we don’t add something we shouldn’t. Gary and Sarah, you two in particular have mentioned planned usage of campaign and intrusion set. Do you see any concerns with adding this field? And, I guess, do you see the value in adding it…would it be useful to have?


If we did add “last_seen”, we would also add “last_seen_precision” to capture the precision of the last_seen field per our rules about timestamps.





Campaign: https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.pcpvfz4ik6d6

Intrusion Set: https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.5ol9xlbbnrdn



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]