OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [EXT] [cti] ID Contributing Properties for Email Message

That's correct.  The two have very different use cases.  Using message_id lets you track a particular message that is flowing through a system, which is useful when doing malware analysis and tracking how an email was decomposed.  However message_id is designed to be completely unique to the email (moreso than any other field) so it can largely serve by itself in this regard.

The other three fields are useful when tracking a pattern of behavior without providing any sort of time bounding.  For example you could send out an alert saying that such and such intrusion set sent out 10,000 copies of the email over a period of two weeks to a dozen organizations as part of a phishing campaign.  All of these would be different emails, but it is useful for a CTI provider to be able to tie everything together with the generalized form of this email.

Jeffrey Mates, Civ DC3/TSD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Technical Solutions Development
jeffrey.mates@dc3.mil
410-694-4335


-----Original Message-----
From: Piazza, Rich <rpiazza@mitre.org> 
Sent: Wednesday, July 10, 2019 11:40 AM
To: Mates, Jeffrey CIV DC3/TSD <Jeffrey.Mates@dc3.mil>; cti@lists.oasis-open.org
Subject: [Non-DoD Source] Re: [EXT] [cti] ID Contributing Properties for Email Message

Hi Jeff,

I think you mentioned on the call yesterday that you were suggesting an choice between 1 and 2 for the deterministic id.
You aren't suggesting to just add message_id to the other three.  Correct?

	Rich

ïOn 7/9/19, 3:56 PM, "Mates, Jeffrey CIV DC3/TSD" <cti@lists.oasis-open.org on behalf of Jeffrey.Mates@dc3.mil> wrote:

    Since my access to Google Docs is currently limited I would suggest updating 
    it to something like:
    
    The following schemas are recommended for creating deterministic IDs for Email 
    Messages:
    
    1. from, subject and body (all items must be present)
    2. message_id
    
    Jeffrey Mates, Civ DC3/TSD
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Computer Scientist
    Technical Solutions Development
    jeffrey.mates@dc3.mil
    410-694-4335

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]