All,
Separate from the timestamp debate, I was also hoping to get to a resolution on timestamp precision. As a reminder, precision is an optional field accompanying certain timestamps that can tell you how precise
the timestamp is supposed to be. It would let you say, for example, that a campaign with first seen sometime in 2014 without the producer having to pick some arbitrary date in 2014.
I see three options:
1.
Keep as-is
2.
Remove precision from all fields and add it as necessary
3.
Evaluate it on a field-by-field basis
I’ve listed the places that have precision below (and notable places that don’t) so that we can all be on the same page. Given that data, which do you prefer? If you prefer #3, which places should we add it
to now?
John
Campaign
first_seen
last_seen
Indicator
valid_from
valid_to
Intrusion Set
first_seen
last_seen
Sighting
first_seen
last_seen
The following timestamps do
not have precision:
STIX Objects (all SROs and SDOs)
created
modified
Observed Data
first_observed
last_observed
Report
published
Cyber Observable Layer
Nowhere in the cyber observable layer has timestamps