Rich – I’m not suggesting the model keeps the history.
If products want to keep history then that is a product choice not a stix modelling question. Stix is an intelligence sharing data model.
All I’m suggesting is having a date for when a relationship is no longer active so that producers of that information can indicate that specific event/information.
First_seen/last_seen could work for this concept but I know others might have issue with that design. I personally think a single timestamp or first_seen/last-seen would work.
Regards
allan
From:
"Piazza, Rich" <rpiazza@mitre.org>
Date: Thursday, May 4, 2017 at 6:34 AM
To: Allan Thomson <athomson@lookingglasscyber.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "Wunder, John" <jwunder@mitre.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
What Allan is referring to is a lot more complex that first_seen, last_seen.
Let’s say a relationship is true from t1 to t2, then isn’t from t2 to t3, but then is true again after t3? Do we need to keep this “history”? Are these just 3 different versions of this
relationship?
With first_seen, last_seen history is unimportant – Something was last seen at t2, but then seen again at t3, we don’t care about t2.
From:
<cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:55 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, John Wunder <jwunder@mitre.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
On Wed, May 3, 2017 at 1:49 PM -0700, "Wunder, John A." <jwunder@mitre.org> wrote:
Gotcha. I wonder if it’s similar to first_seen and last_seen like we have on campaign.
From:
Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:37 PM
To: John Wunder <jwunder@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
Revoked -> this relationship was created in error and we want to remove its existence from future consideration
No longer active -> this relationship was active, is legitimate but we (as source of the reln) have determined that the connection is no longer at time X
Semantically they are different. I can see why you might think it’s the same but they’re not. At least in my mind.
☺
allan
From:
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org>
Date: Wednesday, May 3, 2017 at 1:35 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
I don’t think I really follow the difference…can you give a couple examples (of no longer valid vs. no longer active)?
From:
<cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:31 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <pmaroney@wapacklabs.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "Jason Mr. Keirstead" <Jason.Keirstead@ca.ibm.com>, "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "Richard.Struse@HQ.DHS.GOV" <Richard.Struse@hq.dhs.gov>,
"John-Mark Mr. Gurney" <jmg@newcontext.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
Revoked does not mean ‘no longer active’. It means the data is no longer valid. That’s semantically different.
I think we need a different attribute to represent no longer active.
allan
From:
"Wunder, John" <jwunder@mitre.org>
Date: Wednesday, May 3, 2017 at 1:27 PM
To: Allan Thomson <athomson@lookingglasscyber.com>, Patrick Maroney <pmaroney@wapacklabs.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Bret Jordan <Bret_Jordan@symantec.com>, "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "Struse, Richard" <Richard.Struse@hq.dhs.gov>, John-Mark Gurney <jmg@newcontext.com>,
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
Relationships are just a type of STIX Object and so already have a `revoked` property. Is that what we’re talking about here? If so I think we’re already covered.
From:
<cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:20 PM
To: Patrick Maroney <pmaroney@wapacklabs.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "Jason Mr. Keirstead" <Jason.Keirstead@ca.ibm.com>, "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "Richard.Struse@HQ.DHS.GOV" <Richard.Struse@hq.dhs.gov>,
"John-Mark Mr. Gurney" <jmg@newcontext.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
Pat – not sure I follow.
All of our CRUD operations/versioning are timestamped based in the current STIX 2.0 spec.
I don’t believe I’m suggesting something that is different from what we already have. Just making sure we follow that design.
Regards
allan
From:
Patrick Maroney <pmaroney@wapacklabs.com>
Date: Wednesday, May 3, 2017 at 1:18 PM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Bret Jordan <Bret_Jordan@symantec.com>, "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "Struse, Richard" <Richard.Struse@hq.dhs.gov>, John-Mark Gurney <jmg@newcontext.com>,
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
Re Allan's comments:
"But the ability to model and represent data changes (CRUD) is important. We just need to agree on how that is done in the STIX model.
My response to this thread was suggesting we model deletion of relationships with a timestamp of when the reln is no longer active."
Since this topic has surfaced again, I'll throw out the Time Based Versioning Concept again.
Whoa! Whoa! Rocinante*!!! Relax.. We are not attacking this windmill again!!
Rocinante (Spanish pronunciation: [roθiˈnante]) is Don Quixote's horse in the novel Don Quixote by Miguel de Cervantes.
In many ways, Rocinante is not only Don Quixote's horse, but also his double: like Don Quixote,
he is awkward, past his prime, and engaged in a task beyond his capacities
Principal Engineer - Data Science & Analytics
|