OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] MISP format <-> STIX 2.0 - Discussions

On 05/05/17 15:44, Wunder, John A. wrote:
> Ah, good feedback Paul…does anyone else have a similar namespaced tagging approach?
> Maybe we should put a pin in this topic for either 2.1 or 2.2. I’m curious about what the cross-tool usages of the fields are…if it’s just displaying to users or searching on it, jamming it into strings might not be so bad. If there’s automated processing based on specific tags though, obviously that doesn’t work so well. It would probably be useful to take some examples and run them through some sharing scenarios. Or maybe we’ll find out everyone has the same set of “vendor-specific” tags and we literally can just standardize on them.

Our idea in general was two cover to use-cases in general, one as you mentioned is automation (though with the purpose of filtering based on known tags, something that we publish through open
taxonomies, see RFC below[1]) but also to have a humanly readable format for the analysts.

Basically the translation of the triple and double tags is super simplistic:


In this case the representation would simply tell the user that the tag is from the Europol Incident vocabulary and that the tagged item is related to abusive content due to content forbidden by law.
For double tags, such as

"PAP:red" ref:[2]

we would simply indicate to the user that we are using the PAP vocabulary, and the tagged item is marked red. What the user does with this (filtering, using it as contextual information) is up to the

We have employed this for the past year or two for MISP and it quickly became one of the most crucial components of the information shared with communities becoming incredibly involved in creating and
maintaining taxonomies.

[1] https://github.com/MISP/misp-rfc/blob/master/misp-taxonomy-format/raw.md.txt
[2] https://www.misp.software/taxonomies.html#_pap

Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu - www.circl.lu

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]