Hi Paul,
I really like your examples for Vulnerability and Data Marking Definition extensions.
One of the things that stands out is that there are pre-existing json schemas for a lot of these ideas. It would seem to me that having a repository of STIX Extension Definitions makes a lot of sense â a community known place to look for
extension definitions.
DHS has asked us to look into creating a common STIX object repository for the community. It would seem like Extension Definitions would be a natural fit for such a repository.
BTW â I noticed on your IEP example â the property âend_dateâ has a value of null. The STIX spec generally would make a property optional if it could be null or emptyâ
Rich
--
Rich Piazza
Lead Cyber Security Engineer
The MITRE Corporation
781-271-3760
From: <cti@lists.oasis-open.org> on behalf of Paul Patrick <ppatrick@darklight.ai>
Date: Friday, October 16, 2020 at 1:10 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [EXT] [cti] STIX 2.1 Extension Examples
I wanted to share with the community some of the various examples of using the proposed STIX Extensions.
Attached is a sample that illustrates:
- extend the STIX Vulnerability object with both CVSS scoring using the JSONscheme directly from FIRST
- extend the STIX Marking Definition object to create new data marking for IEP
- convert a couple of MITRE ATT&CK as STIX Attack Patterns representing the current MITRE custom extension using STIX Extensions
Paul Patrick