|This is the key question, and I would offer it is not up for the market to decide. We have to decide if we want a TLO or an attribute, and only a TLO or an attribute, to indicate the first / last time seen.|
I am leaning towards a TLO, because you do not really want to hack the underlying object, which should be independent of the observer, with an observation. However, I can be swayed.
I would suggest the problem of updating the campaign/intrusion_set object or the sighting object exists regardless of adding the field or not. As first_seen is duplicative of sighting attribute first_seen. So should an implementation create a sighting object each time they create a campaign or intrusion set? Currently the specification does not state one way or another either. Your question on whether a ‘user’ updates 1 object or 2 objects is really a product question on whether the product exposes the STIX model directly to the UI or attempts to abstract some of the model in preference to exposing a simpler UI/workflow to the user. I would say that what a user sees is a product question not a STIX exchange question. So the question should be, “is it easier for a product to be implemented to send 1 object or 2 objects when 1 attribute changes”. I would suggest in this specific case adding the last_seen attribute to campaign/intrusion_set is easier than always requiring sighting to be used for time-based observations of intelligence objects such as campaigns/intrusions_sets….etc. But if the community disagrees and we want consistent behavior for when a sighting object is created then we should remove first_seen from campaign/intrusion_set and *always* require sighting to be used for those time elements. As previously communicated, I’m not a fan of that approach as it seems extreme but is at least consistent.
Right but what happens when that user sees the next instance of that campaign.
Do they submit a revision and update the last_seen? Or submit a sighting? Or do both? It is two ways to communicate the same thing, that could get mid aligned if someone updated one but didn't do the other.
So as piece of software, which do you treat as the true "last seen", the sighting data, or the field?
And meanwhile, other users can *only* say they saw it using sighting, since they can't submit any revisions. So it seems like software would HAVE to treat that as source of truth, no?
Sent from my mobile device, please excuse any typos.
Allan Thomson --- Re: [cti] Add last_seen to campaign and intrusion set --- A sighting would seem unnecessary given that campaign and intrusion set already have the attributes for first_seen. If we want to remove first_seen from campaign/intrusion_set and solely rely on sighting to convey first_seen/last_seen in a consistent manner for all objects then that might work. But I was proposing a slightly more incremental approach than that. “Campaign by Threat Actor Group XXXX was originally started in Jan 2015 and we last saw the campaign used Aug 2016”. This is useful context. If you don’t know the information or don’t want to have to publish an update then you just state “Campaign by Threat Actor Group XXXX was originally started in Jan 2015” The former adds useful context and the later provides a little less. This is not a big ask. Just the ability to have some additional context without having to use sighting objects to represent this information.
I am confused on the purpose of this field - Isn't that the purpose of the sighting object?
And furthermore, since no one can update an object except it's creator - only they can update this last_seen field. So it will either stay stale forever, *or* they will constantly update their object whenever they see it, *and* submit a sighting? Or... ???
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<image001.gif>Sarah Kelley ---11/17/2016 03:03:27 PM---I’m mostly ambivalent about adding last_seen. I can see why it would be good to have, for instance i
From: Sarah Kelley <Sarah.Kelley@cisecurity.org>
To: "email@example.com" <firstname.lastname@example.org>
Date: 11/17/2016 03:03 PM
Subject: Re: [cti] Add last_seen to campaign and intrusion set
Sent by: <email@example.com>
I’m mostly ambivalent about adding last_seen. I can see why it would be good to have, for instance if the last time you saw an intrusion set was 3 years ago, you can possibly assume they’ve moved on. However, my concern would be how would you keep that field up to date? Would it be automatically updated via a sighting? Or would an analyst manually adjust it? Both? Because I can see why an analyst would want to be able to adjust that field, but what happens if they forget? Then it’s suddenly inaccurate, and if you’re basing any analysis on that field it’s now wrong.
Senior Cyber Threat Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
Follow us @CISecurityFrom: <firstname.lastname@example.org> on behalf of Allan Thomson <email@example.com>
Date: Tuesday, November 15, 2016 at 6:05 PM
To: "Wunder, John A." <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org>
Subject: Re: [cti] Add last_seen to campaign and intrusion setJohn – thanks for sending this email.I agree with the proposal to add last_seen and also agree with the definition that last_seen is just the last time this entity was seen. It does not implicitly or explicltly say that the entity is ‘over’ or ‘stopped operating’.allanFrom: "email@example.com" <firstname.lastname@example.org> on behalf of "Wunder, John" <email@example.com>
Date: Tuesday, November 15, 2016 at 9:35 AM
To: "firstname.lastname@example.org" <email@example.com>
Subject: [cti] Add last_seen to campaign and intrusion setAll,One of the suggestions we discussed on the call today was the idea of adding a field “last_seen” to the campaign and intrusion set objects. Those objects currently have a “first_seen” field, which describes the first time activity related to them was observed…the suggestion is of course that you should be able to also describe the last time you saw activity related to that campaign/intrusion set.One important concern is that we want to make sure the implication is NOT that having a “last_seen” field means the campaign is “over”. The producer would be saying “here’s the last time I saw X”, not “here’s the last time I saw X and I don’t expect to see it again”.Are there any objections to this, or other considerations that we should think about when defining it? Adding a field this late in the game needs to be done carefully and we want to make sure we don’t add something we shouldn’t. Gary and Sarah, you two in particular have mentioned planned usage of campaign and intrusion set. Do you see any concerns with adding this field? And, I guess, do you see the value in adding it…would it be useful to have?If we did add “last_seen”, we would also add “last_seen_precision” to capture the precision of the last_seen field per our rules about timestamps.Thanks,JohnCampaign: https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.pcpvfz4ik6d6Intrusion Set: https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.5ol9xlbbnrdn
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .