OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cti] [EXT] [cti] STIX2.1 Extension Example - custom properties

Maybe remove me from your ban list?  😉


Your email filters may not like one or more of the attachments.  You can access the original email (with attachments) from the OASIS site:  https://www.oasis-open.org/apps/org/workgroup/cti/email/archives/202010/msg00046.html





From: aa tt <atcyber1000@gmail.com>
Sent: Friday, October 16, 2020 1:12 PM
To: Rich Piazza <rpiazza@mitre.org>
Cc: Chris Ricard <cricard@fsisac.com>; cti@lists.oasis-open.org
Subject: Re: [cti] [EXT] [cti] STIX2.1 Extension Example - custom properties


NOTICE: External Email - Sender is atcyber1000@gmail.com

I never received Chrisâs original email. Checking spam folder also didnât yield it.


Can someone resend or forward me the attachments?


Chris - thank you for sharing the examples. Once I get them I can provide feedback if you would like some.



On Oct 16, 2020, at 9:57 AM, Rich Piazza <rpiazza@mitre.org> wrote:


Hi Chris,


Thanks Chris.  This is great!!


I think that the ability for you to quickly put this together shows that going from custom properties representation to extension properties representation is relatively trivial.


Here is my comments on your experiment, based on my understanding of the Extension proposal.


  • The extension object you have for Option 1 contains the property "extension_properties".  The spec currently says that you only use that property for top level property extensions.  Iâm not sure why that is.  We should probably put in some text into the spec explaining âwhyâ.
  • Top-level property extensions are there for backward compatibility.  The spec indicates that the other type of property extensions is preferred. I know you mention that Option 2 makes your RESTful API more straightforward, but I think you could probably do the processing you did in the client code as a subroutine that the RESTful API calls â making the use of either extension property method invisible.  Of course, I donât know what your API looks like 😊
  • I donât see any advantage to Option 3, but maybe others will


Rich P.



Rich Piazza

Lead Cyber Security Engineer

The MITRE Corporation




From: <cti@lists.oasis-open.org> on behalf of Chris Ricard <cricard@fsisac.com>
Date: Friday, October 16, 2020 at 12:52 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [EXT] [cti] STIX2.1 Extension Example - custom properties




On todayâs TC call, Rich asked folks who are using custom STIX extensions to kick the tires on the new extension proposal.


We (FS-ISAC) use custom properties on the STIX2.1 Vulnerability SDO, in order to make some custom vulnerability reporting available via a TAXII2.1 feed.


The intent is for the content to be STIX/TAXII-compliant (since itâs being published to our TAXII server), yet still easy for non-STIX/TAXII applications (such as a vulnerability management system that has no idea what STIX and TAXII are) to be able to ingest it as a RESTful API.

Iâve attached 4 JSON files:

  1. stix21-orig.json:  This is an example of what we are currently publishing.  Note that all of the âx-ctix-*â properties are custom top-level properties.
  2. stix21-option1.json:  This is my attempt to convert stix21-orig.json to the âOption 1â proposal (Adding properties to an existing STIX object instance)
  3. stix21-option2.json: This is my attempt to convert stix21-orig.json to the âOption 2â proposal for adding custom properties to an existing STIX object (Adding properties at the top-level to an existing STIX object instance).
  4. stix21-option3.json:  This was just me taking a stab at what it would look like if there was an option to define the extensions in-line, rather than in a separate object.  Obviously it would create additional, duplicative data, but I thought I would toss it out there for consideration, since it would likely be easier for a STIX client to consume.



My take-aways:

  1. Publishing: It appears that we could publish our current custom vulnerability feed using either Option 1 and Option 2 (or Option 3).
  2. Consuming: 
    1. For STIX/TAXII consumers, Option 1 and Option 2 seem equivalent to me.  As long as the STIX client properly understands the spec, either should work.  The one advantage I see to option 1 is that it allows you to overload the same custom property name in the same SDO defined in different extensions (example, it seems that I could have an âFS-ISACâ risk property, and an âIT-ISACâ risk property in the same SDO, both named âriskâ.  Iâm not sure why you would want that, though).
    2. For NON-STIX/TAXII consumers (example - REST clients which are STIX unaware), Option 2 seems far superior.  The REST client could treat all top-level properties the same, rather than having to understand that some top-level properties are native STIX properties, while others are custom STIX properties that are embedded under the âextensionsâ property.


Also attached is a chicken-scratch python code (process_vulns-json.txt) to illustrate what Iâm talking about.   The original JSON and the Option 2 JSON can be processed without any knowledge of STIX or understanding of STIX extensions. However, Option 1 requires an understanding of STIX extensions, and some hand-waving to unpack the custom properties.


Hope this makes sense.  Please let me know if I misunderstood anything.


Chris Ricard

Sr. Tech Engineer, FS-ISAC

work: +1 571-446-3888

cell: +1 703-673-8621




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]