[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [EXT] [cti] STIX2.1 Extension Example - custom properties
Rich, Comments in-line below Thanks, Chris From: Rich Piazza <rpiazza@mitre.org>
Hi Chris, Thanks Chris. This is great!! I think that the ability for you to quickly put this together shows that going from custom properties representation to extension properties representation is relatively trivial. Here is my comments on your experiment, based on my understanding of the Extension proposal.
Yeah â I mis-read the spec. Iâm unclear why extension_properties would be forbidden for use with extension_types=property_extension, but Iâm sure thereâs a good reason. Regardless, it doesnât seem necessary.
Thatâs kinda my issue. One of the benefits of STIX2/TAXII2 is that itâs RESTful, making it easily accessible to clients that donât actually support STIX/TAXII, but do support REST APIs. Option 1 seems
to require some level of STIX understanding (and specifically an understanding of STIX extensions) in order to parse, while Option 2 does not. That alone makes me feel that Option 2 is better. I know you mention that Option 2 makes your RESTful API more straightforward, but I think you could probably do the processing you did in the client code as a subroutine that the RESTful API calls â making the use of either extension
property method invisible. Of course, I donât know what your API looks like
😊 That goes along with what Iâm saying. I would have to write custom client code in order to properly parse Option 1, while this isnât required for Option 2. For shrink-wrapped vendor apps, that might be
difficult, or might not even be possible.
The only advantage I see with Option 3 is for non-STIX clients, all the info is in one place, rather than having to (likely manually) reference external objects. Obviously the disadvantage is bloat. Rich P. -- Rich Piazza Lead Cyber Security Engineer The MITRE Corporation 781-271-3760 From: <cti@lists.oasis-open.org> on behalf of Chris Ricard <cricard@fsisac.com> Folks, On todayâs TC call, Rich asked folks who are using custom STIX extensions to kick the tires on the new extension proposal. We (FS-ISAC) use custom properties on the STIX2.1 Vulnerability SDO, in order to make some custom vulnerability reporting available via a TAXII2.1 feed. The intent is for the content to be STIX/TAXII-compliant (since itâs being published to our TAXII server), yet still easy for non-STIX/TAXII applications (such as a vulnerability management system that has no
idea what STIX and TAXII are) to be able to ingest it as a RESTful API. Iâve attached 4 JSON files:
My take-aways:
Also attached is a chicken-scratch python code (process_vulns-json.txt) to illustrate what Iâm talking about. The original JSON and the Option 2 JSON can be processed without any knowledge of STIX or understanding
of STIX extensions. However, Option 1 requires an understanding of STIX extensions, and some hand-waving to unpack the custom properties. Hope this makes sense. Please let me know if I misunderstood anything. Chris Ricard Sr. Tech Engineer, FS-ISAC work: +1 571-446-3888 cell: +1 703-673-8621 |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]