[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [Non-DoD Source] [cti] Re: [EXT] Re: [cti] Sightings of Observables with Descriptions
Sorry for some reason I hadnât received Janeâs email. I ended up following Marlonâs suggestion to use the Note SDO and relating it to the SCOs I wanted to describe. In this case it was it was providing additional context for a lot of sensor data that I didnât want to more strongly assert a relationship between. Since most objects in our system allow for descriptions (including SCO instances) this let me craft a fairly quick rule to pull notes into descriptions for object instances. In this case things like adding a Note to an IP saying that it was observed performing a port scan, or that a particular bit of netflow was captured from a sensor. I was debating having the sensor communicating with some other mechanism, but simply using a Note to provide a description ended up giving the cleanest option within our system for the time being. Iâve attached an example of a single entry made using fake data. Ultimately no extensions or custom objects were needed on the STIX side. //SIGNED// Jeffrey Mates, Civ DC3/TSD Computer Scientist Technical Solutions Development jeffrey.mates@dc3.mil 410-694-4335 From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of Rich Piazza All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser. Hi Jeff, Perhaps you could give a few more details about your "weirdness".
a more abstract CTI object, usually an indicator, but a campaign or threat actor, for instance. Rich -- Rich Piazza Lead Cyber Security Engineer The MITRE Corporation 781-271-3760 ïOn 3/5/21, 10:31 AM, "cti@lists.oasis-open.org on behalf of JG" <cti@lists.oasis-open.org on behalf of jg@ctin.us> wrote: Jeffrey: Did you see the Hybrid Extension Example on Page 206 of the STIX2.1 CS02 version? It sounds like something like this might be a good way to shorten the chain that you describe here. Jane Ginn On 3/1/2021 12:26 PM, Mates, Jeffrey CIV DC3/TSD wrote: > I ran into a bit of weirdness when modelling some data I received in STIX 2.1. > In this case it was with sensor data that had descriptions descriptions, and > from what I can see the only way to get a description of these is to: > > 1. Create the SCOs > 2. Make observations of the SCOs > 3. Make a sighting of the observations of the SCOs with a description > > I suspect it is now too late to do this, but it could be useful if Observed > Data objects include a description property or if Sighting could be a sighting > on an SCO directly in order to shorten this chain. If others have run into > this issue I'm curious how you worked through it. > > //SIGNED// > > Jeffrey Mates, Civ DC3/TSD > Computer Scientist > Technical Solutions Development > jeffrey.mates@dc3.mil > 410-694-4335 > -- ***************************** Jane Ginn, MSIA, MRP Secretary, OASIS CTI TC Sponsor, TAC TC Sponsor, BP TC jg@ctin.us 001 (928) 399-0509 ***************************** --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: Caution-https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
Attachment:
Sensor Example.json
Description: application/json
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]