OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Working call agenda for Tuesday 2/28

The agenda for tomorrow’s working call will include:


·         Intel note

o    Proposal: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.74spnst8naxc

o    Open questions include:

§  Created by ref vs. author. If we use both, how do we clarify when to use which?

§  If we use both, does that mean we should add an author property onto any other SDOs (or all of them)?

§  Do we need to clarify that an Intel Note is more “off the cuff” analysis? I believe there was some concern about knowing when to use Intel Note vs other SDOs

·         Opinion

o    Proposal: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.haeazu2sh3sq

o    Open questions include:

§  Do we want a description field on opinion? If so, is there too much overlap with Intel Note? (there isn’t one currently in the proposal, but one can be added back in if we agree it should be there)

§  Are Intel note and Opinion too similar? How can we clarify their purpose and make it less confusing?

§  What scale do we want to use to represent an opinion?

·         0-100 (same as confidence or somehow with a different meaning than confidence, which could get confusing)

·         -100 – 100 (with negatives meaning ‘disagree’)

·         ‘strongly agree’, ‘agree’, ‘neutral’, ‘disagree’, ‘strongly disagree’

·         others?

§  Are people creating Opinions going do offer up suggestions for corrections, and if so, should we make a property for that?

·         Ex: “You said that this was linked to PandaCat, but our analysis shows that this is more likely to be FlameDragonCrew”

§  What can we do (perhaps in TAXII) to allow people to drop opinion objects if they don’t want to see them?

·         (if time) Location

o    There are two proposals, the first is attached to this email. The second is located here: https://docs.google.com/document/d/1SrwLhO-glQ9dnkj3BYfSd9ITr_L7Ai_JEnn1tqEO_dg/edit#heading=h.hqzx1hu0izya

o    If there’s time, we’ll discuss the difference between these approaches and see if we can determine which direction people are leaning.




Sarah Kelley

Senior Cyber Threat Analyst

Center for Internet Security (CIS)

Integrated Intelligence Center (IIC)

Multi-State Information Sharing and Analysis Center (MS-ISAC)

1-866-787-4722 (7×24 SOC)

Email: cert@cisecurity.org


Follow us @CISecurity


This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .

Attachment: stix-location.docx
Description: stix-location.docx

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]