[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti] Re: [EXT] [cti] RE: TAXII Version Filter - Please review
|
Sorry Allan, we responded very close to each other. I agree on âclearer if we donât confuse added_after functionality with this filter option.â. I guess that what you suggest is closer is to Option #1? -Emmanuelle From: Allan Thomson <athomson@lookingglasscyber.com> This specific text is on object lookup based on a version timestamp. I think its clearer if we donât confuse added_after functionality with this filter option. So âIf the STIX object does not contain either a modified or created timestamp, then this filter may be ignoredâ Allan From: "cti@lists.oasis-open.org"
<cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com> That is a good point... I am also starting to think that we should just not saying anything about those, or say that this specific version parameter does not work for objects that do not have versions. Meaning,
if the version does not have a version, then this parameter is meaningless. We would still need to figure out what we are going to do with the "last", "first", and "all" parameters. But the specific parameter I think we can just say it is not applicable. Or we just say that for TAXII 2.1, we are going to do nothing here, and we will worry about it for TAXII 2.2. TAXII 2.2 could probably be released around the same time as STIX 2.1. Bret From:
cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Vargas-Gonzalez, Emmanuelle <emmanuelle@mitre.org> Bret, I feel like this line
If the STIX object does not contain either a modified or created timestamp, then this filter should return the
latest version according to the server. does not convey (or goes against) the purpose of using the
version filter. I am having a problem with the word latest on that line as not always we would want to resolve for the latest object in a server. Perhaps something like the following would allow for the resolution of objects without created or modified
time. ### BEGIN If the STIX object does not contain either a modified or created timestamp, then this filter should use the date and time when the object was added to the server as a method
to disambiguate the object to be returned. ### END Any thoughts? Thanks, Emmanuelle From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of Bret Jordan All, Drew, Allan, and I took a stab at fixing the text on the version filter parameter so that can work with a STIX object that does not have a modified timestamp (marking-definition object). The text from section 3.4.1 now
reads: ### BEGIN For STIX objects, this filter option requests objects whose modified time matches exactly the provided value and the value MUST follow the rules for timestamp as defined in [STIXâ Version 2.0.
Part 1: STIX Core Concepts]. For STIX objects that do not contain a modified timestamp (ex. the marking-definition object), then this filter should match on the created timestamp. If the STIX object does not contain either a
modified or created timestamp, then this filter should return the latest version according to the server. For example: "2016-01-01T01:01:01.000Z" tells the server to return the exact STIX object(s) that
matched the modified time or created time (in the case of a marking-definition object) of "2016-01-01T01:01:01.000Z". ### END The extra caveat for not having either a modified or created timestamp deals with the potential cyber observable changes. Please review and comment on the list with any concerns or changes. Bret |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]