OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Add last_seen to campaign and intrusion set

John – thanks for sending this email.

 

I agree with the proposal to add last_seen and  also agree with the definition that last_seen is just the last time this entity was seen.

 

It does not implicitly or explicltly say that the entity is ‘over’ or ‘stopped operating’.

 

allan

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 9:35 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Add last_seen to campaign and intrusion set

 

All,

 

One of the suggestions we discussed on the call today was the idea of adding a field “last_seen” to the campaign and intrusion set objects. Those objects currently have a “first_seen” field, which describes the first time activity related to them was observed…the suggestion is of course that you should be able to also describe the last time you saw activity related to that campaign/intrusion set.

 

One important concern is that we want to make sure the implication is NOT that having a “last_seen” field means the campaign is “over”. The producer would be saying “here’s the last time I saw X”, not “here’s the last time I saw X and I don’t expect to see it again”.

 

Are there any objections to this, or other considerations that we should think about when defining it? Adding a field this late in the game needs to be done carefully and we want to make sure we don’t add something we shouldn’t. Gary and Sarah, you two in particular have mentioned planned usage of campaign and intrusion set. Do you see any concerns with adding this field? And, I guess, do you see the value in adding it…would it be useful to have?

 

If we did add “last_seen”, we would also add “last_seen_precision” to capture the precision of the last_seen field per our rules about timestamps.

 

Thanks,

John

 

Campaign: https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.pcpvfz4ik6d6

Intrusion Set: https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.5ol9xlbbnrdn

 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]