OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] STIX 2.1 & Cyber Observables

On 22.12.2016 19:49:46, Paul Patrick wrote:
> 
> Your timing is perfect as I’m in the middle of mapping OpenIOC 1.1
> definitions to STIX Indicators and uncovering several things that
> are currently missing in STIX 2.0 that are needed to support a
> complete mapping.
>

Hey, Paul -

Your gap analysis is most helpful. Ivan and I are keenly aware of the
need to flesh out the Windows-related portions of the STIX Observable
data model. We're grateful for every bit of assistance we can get!


> 
> ·         DNS Record
> 

Definitely on our hit list. ^_^

> 
> ·         EventLog (something we didn’t have in CybOX)
> 

The question of representing log data in the Observable data model has
already come up a number of times. I think we're still some distance
from broad consensus as to whether mapping log data into the data
model is in scope. If we do decide to target log data, we should do it
in a sufficiently abstract manner as to address syslog and friends, in
addition to Windows EventLog.

(This is a sufficiently broad topic as to merit continuing the
discussion on an independent thread.)

> 
> One other thing that I saw was that often the OpenIOC will have
> alternate patterns for detection; particularly that of Snort and
> YARA. I know we’ve talked about this as a group, but here is a
> concrete use case in the “wild” that we might want to take into
> consider as we talk through the ability to express alternate pattern
> expressions.
> 

This falls under the rubric of the STIX Indicator. At one point
alternate patterns were in the STIX 2.0 draft but were punted to a
later release. (I forget the rationale.) We can definitely discuss
adding this capacity back in for STIX 2.1.

Again, Paul, thanks for the terrific feedback! Please keep it coming. ^_^

-- 
Cheers,
Trey
++--------------------------------------------------------------------------++
Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4  5B9B B30D DD6E 62C8 6C1D
++--------------------------------------------------------------------------++
--
"No matter how hard you push and no matter what the priority, you
can't increase the speed of light." --RFC 1925

Attachment: signature.asc
Description: Digital signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]