Alexandre,
We already have a related_data property. Right now the description says that it is for Observed_Data, but that can be expanded to any STIX object. If the description was changed, can you identify how this object does not meet your use case?
Bret
Sent: Wednesday, August 23, 2017 1:16:18 PM
To: Bret Jordan; Alexandre Dulaunoy; cti@lists.oasis-open.org
Subject: Re: [cti] Re: [EXT] Re: [cti] Summary of the working call
The current version of Event already has something like “supporting_data”. It’s a property called “related_data”.
I’m not sure how this suggestion would be any different?
Sarah Kelley
Senior Cyber Threat Analyst
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
518-266-3493
24x7 Security Operations Center
SOC@cisecurity.org - 1-866-787-4722
From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Wednesday, August 23, 2017 at 3:12 PM
To: Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Re: [EXT] Re: [cti] Summary of the working call
Alexandre,
If we added a "supporting_data" property to Event that contained a list of IDs to other STIX objects, would that enable your use-case?
Bret
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
Sent: Wednesday, August 23, 2017 2:42:46 AM
To: cti@lists.oasis-open.org
Subject: [EXT] Re: [cti] Summary of the working call
On 22/08/17 22:12, Sarah Kelley wrote:
> On today’s working call, we discussed the event object. We didn’t have someone taking full notes, but I’ll try to summarize what was discussed below.
>
>
> 1. The event object should be scoped down to just an IR type of event/incident. This would need to be clarified in the text, but that would then scope out some of our other use cases such as:
> * An ‘alert’ coming into your system
> * An ‘event’ such as a threat actor registering a domain
> * The MISP version of ‘event’
As our past proposals (event and updated report) were rejected and seeing how despite expectations the new event SDO won't accommodate the requirements of many CERTs and considering that we need to
move on regarding this, we propose a new SDO called generic event to be able to map MISP events to STIX.
https://clicktime.symantec.com/a/1/KXXOt30L0Phy4XSBJfMef58Wt7mbKP8hq6iPJVbggCA=?d=aZFWp64AB6xw0IMyCZXL0Penlb_6iU6OgveRz1MnP5rZ9wxB3EfnQTTfyleQA_85xnxQ4G0tW-3mzxOSKk1ZRAeSkGz5Uk_0aPQYycvNcyEd8ji_tyMaKiVRV9LZPX9QWMpByAtKN1160Dz8pzikmWvm0SFVLHVA309anASuRu6zZIWfoBIdLmRQw-WVQy010_LhdsXjYEM-UscjJdtGhpFaPSlyn8sajyVZvtRf2DKg9jyYepCu2Rt7DmyHYx5Z5jlm5eo60yXUU7QuYoszYy6gKXOlHo9JUCI9Euvaux0dldytYQNnqpjF1iIAR6BljwZgq0OTmjNjS72rdbMO-Ki2Sdu1EX1s_yvIWbUoNls35fV1yGdy7YLa8z1z7nM_1VZZ8C-43itV5JB6WqnJUQBohXsItCeM8aFDSIxBoJTjjTC8&u=https%3A%2F%2Fwww.misp-project.org%2Fgeneric-event-proposal-STIX-2.1.pdf
Thank you very much
--
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu -
www.circl.lu - (+352) 247 88444
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://clicktime.symantec.com/a/1/TPo_dTV-pVxJ8S7TeISQ6XYZjfPzx28einI7H3nz6M0=?d=aZFWp64AB6xw0IMyCZXL0Penlb_6iU6OgveRz1MnP5rZ9wxB3EfnQTTfyleQA_85xnxQ4G0tW-3mzxOSKk1ZRAeSkGz5Uk_0aPQYycvNcyEd8ji_tyMaKiVRV9LZPX9QWMpByAtKN1160Dz8pzikmWvm0SFVLHVA309anASuRu6zZIWfoBIdLmRQw-WVQy010_LhdsXjYEM-UscjJdtGhpFaPSlyn8sajyVZvtRf2DKg9jyYepCu2Rt7DmyHYx5Z5jlm5eo60yXUU7QuYoszYy6gKXOlHo9JUCI9Euvaux0dldytYQNnqpjF1iIAR6BljwZgq0OTmjNjS72rdbMO-Ki2Sdu1EX1s_yvIWbUoNls35fV1yGdy7YLa8z1z7nM_1VZZ8C-43itV5JB6WqnJUQBohXsItCeM8aFDSIxBoJTjjTC8&u=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php
.....
. . . . .