OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] [EXT] [cti] Embedded Relationships


Rich – I’m not suggesting the model keeps the history.

 

If products want to keep history then that is a product choice not a stix modelling question. Stix is an intelligence sharing data model.

 

All I’m suggesting is having a date for when a relationship is no longer active so that producers of that information can indicate that specific event/information.

 

First_seen/last_seen could work for this concept but I know others might have issue with that design. I personally think a single timestamp or first_seen/last-seen would work.

 

Regards

 

allan

 

 

 

From: "Piazza, Rich" <rpiazza@mitre.org>
Date: Thursday, May 4, 2017 at 6:34 AM
To: Allan Thomson <athomson@lookingglasscyber.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "Wunder, John" <jwunder@mitre.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships

 

What Allan is referring to is a lot more complex that first_seen, last_seen.

 

Let’s say a relationship is true from t1 to t2, then isn’t from t2 to t3, but then is true again after t3?  Do we need to keep this “history”?  Are these just 3 different versions of this relationship?

 

With first_seen, last_seen history is unimportant – Something was last seen at t2, but then seen again at t3, we don’t care about t2.

 

From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:55 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, John Wunder <jwunder@mitre.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships

 

Yes. It could be. 

 

Allan




On Wed, May 3, 2017 at 1:49 PM -0700, "Wunder, John A." <jwunder@mitre.org> wrote:

Gotcha. I wonder if it’s similar to first_seen and last_seen like we have on campaign.

 

From: Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:37 PM
To: John Wunder <jwunder@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships

 

Revoked -> this relationship was created in error and we want to remove its existence from future consideration

No longer active -> this relationship was active, is legitimate but we (as source of the reln) have determined that the connection is no longer at time X

 

Semantically they are different. I can see why you might think it’s the same but they’re not. At least in my mind.

 

allan

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org>
Date: Wednesday, May 3, 2017 at 1:35 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships

 

I don’t think I really follow the difference…can you give a couple examples (of no longer valid vs. no longer active)?

 

From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:31 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <pmaroney@wapacklabs.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "Jason Mr. Keirstead" <Jason.Keirstead@ca.ibm.com>, "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "Richard.Struse@HQ.DHS.GOV" <Richard.Struse@hq.dhs.gov>, "John-Mark Mr. Gurney" <jmg@newcontext.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships

 

Revoked does not mean ‘no longer active’. It means the data is no longer valid. That’s semantically different.

 

I think we need a different attribute to represent no longer active.

 

allan

 

From: "Wunder, John" <jwunder@mitre.org>
Date: Wednesday, May 3, 2017 at 1:27 PM
To: Allan Thomson <athomson@lookingglasscyber.com>, Patrick Maroney <pmaroney@wapacklabs.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Bret Jordan <Bret_Jordan@symantec.com>, "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "Struse, Richard" <Richard.Struse@hq.dhs.gov>, John-Mark Gurney <jmg@newcontext.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships

 

Relationships are just a type of STIX Object and so already have a `revoked` property. Is that what we’re talking about here? If so I think we’re already covered.

 

From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:20 PM
To: Patrick Maroney <pmaroney@wapacklabs.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "Jason Mr. Keirstead" <Jason.Keirstead@ca.ibm.com>, "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "Richard.Struse@HQ.DHS.GOV" <Richard.Struse@hq.dhs.gov>, "John-Mark Mr. Gurney" <jmg@newcontext.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships

 

Pat – not sure I follow.

 

All of our CRUD operations/versioning are timestamped based in the current STIX 2.0 spec.

 

I don’t believe I’m suggesting something that is different from what we already have. Just making sure we follow that design.

 

Regards

 

allan

 

From: Patrick Maroney <pmaroney@wapacklabs.com>
Date: Wednesday, May 3, 2017 at 1:18 PM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Bret Jordan <Bret_Jordan@symantec.com>, "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "Struse, Richard" <Richard.Struse@hq.dhs.gov>, John-Mark Gurney <jmg@newcontext.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships

 

Re Allan's comments: 

 

"But the ability to model and represent data changes (CRUD) is important. We just need to agree on how that is done in the STIX model.

 My response to this thread was suggesting we model deletion of relationships with a timestamp of when the reln is no longer active."

 

Since this topic has surfaced again,  I'll throw out the Time Based Versioning Concept again. 

 

Whoa! Whoa! Rocinante*!!!  Relax..  We are not attacking this windmill again!! 

 

Rocinante (Spanish pronunciation: [roθiˈnante]) is Don Quixote's horse in the novel Don Quixote by Miguel de Cervantes. 

In many ways, Rocinante is not only Don Quixote's horse, but also his double: like Don Quixote, 

he is awkward, past his prime, and engaged in a task beyond his capacities

 

Patrick Maroney

Principal Engineer - Data Science & Analytics

Wapack Labs LLC

(609)841-5104

 

 

 

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]