OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Notes From Tuesday's Call

All,

 

The notes from Tuesdayâs working call have been uploaded into Kavi. As per our current procedure, Iâm also sending them via email for searchability.  Thanks to Gary for taking notes!

 

 

People on Call

Masato

Sarah Kelly

Trey Darley

Allan Thomson

Chris Lenk

Drew Varner

Emmanuelle Vargas-Gonzalez

Forest Hare

Jeff Mates

John-Mark

Nicholas Hayden

Paul Patrick

Rich Piazza

Gary Katz

Sean Barnum

Chris Ricard

 

Allan Thomson presented on Courses of Action reviewing current proposal and updates

 

People expressed concerns about system versions property and whether it is necessary

  • Chris Ricard wanted to just make action type a list because the course of action could apply to multiple platforms that use the same syntax.  Allanâs response asked why just the primary platform would not just be listed and others could still use it.
  • Sean Barnum is worried it oversimplifies what is being represented. 
  • Jeff Mates thought that it was specifying the language type not the environment on which it would be run.  Ex. It is a bash script or a snort rule, not the platform to run it.  Jeff is not against the version number being included.
  • John-Mark also likes the proposal, would like to use mime type for action type but understands that it may not be practical.  Suggested using CPE for system version.  Allan agreed with the suggestion for using CPE strings. 
  • Allan clarified that the version is of the software version that the action applies to.
  • John-Mark clarified that he believes action type should contain all of the version information
  • Jeff Mates made the point that version being in the CPE string means that extra parsing has to occur.
  • Trey suggested taking a step back, COA looks workable and letâs see some working examples.
  • In a quick poll, suggest moving forward including the parameter to allow everyone to iterate on the capability.

 

Ivanâs comments were concerning language.  Decision was to iterate in draft on the language.

 

Rich had a comment that both could be optional for what to do and only include a description on what to do.

 

Decision is to move COA into CSD Draft

 

Switch topic to presentation on STIX2 Observed Data and Objects

Allan presented on the differences between sensor data use cases and intelligence analysis use cases.  Meetings will take place over the following week to try to find a compromise that will support these two use cases. 

 

 

 

Sarah Kelley

Lead Cybersecurity Engineer, T8B2

Defensive Operations

The MITRE Corporation

703-983-6242

skelley@mitre.org

cid:image006.png@01D0A90C.2B5B2680

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]