Sorry for some reason I hadnât received Janeâs email. I ended up following Marlonâs suggestion to use the Note SDO and relating it to the SCOs I wanted to describe. In this case it was it was providing additional context for a lot of sensor data that I didnât want to more strongly assert a relationship between.
Since most objects in our system allow for descriptions (including SCO instances) this let me craft a fairly quick rule to pull notes into descriptions for object instances. In this case things like adding a Note to an IP saying that it was observed performing a port scan, or that a particular bit of netflow was captured from a sensor.
I was debating having the sensor communicating with some other mechanism, but simply using a Note to provide a description ended up giving the cleanest option within our system for the time being. Iâve attached an example of a single entry made using fake data. Ultimately no extensions or custom objects were needed on the STIX side.
//SIGNED//
Jeffrey Mates, Civ DC3/TSD
Computer Scientist
Technical Solutions Development
jeffrey.mates@dc3.mil
410-694-4335
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of Rich Piazza
Sent: Friday, March 5, 2021 2:03 PM
To: cti@lists.oasis-open.org
Subject: [Non-DoD Source] [cti] Re: [EXT] Re: [cti] Sightings of Observables with Descriptions
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
Hi Jeff,
Perhaps you could give a few more details about your "weirdness".
- Was this a new type of SCO, or one of the ones from the spec â but you just wanted to represent more information?
- I assume âdescriptions descriptionsâ is a typo, and not something I donât understand?
- As Jane says â why not just use an extension?
- If either adding a new property or a whole new SCO â does the property name have to be âdescriptionâ?
- The idea behind a sighting isnât that you observed an SCO (thatâs what Observed Data is for), Itâs that you are making an inference that you have âsightedâ
a more abstract CTI object, usually an indicator, but a campaign or threat actor, for instance.
Rich
--
Rich Piazza
Lead Cyber Security Engineer
The MITRE Corporation
781-271-3760
ïOn 3/5/21, 10:31 AM, "cti@lists.oasis-open.org on behalf of JG" <cti@lists.oasis-open.org on behalf of jg@ctin.us> wrote:
Jeffrey:
Did you see the Hybrid Extension Example on Page 206 of the STIX2.1 CS02
version? It sounds like something like this might be a good way to
shorten the chain that you describe here.
Jane Ginn
On 3/1/2021 12:26 PM, Mates, Jeffrey CIV DC3/TSD wrote:
> I ran into a bit of weirdness when modelling some data I received in STIX 2.1.
> In this case it was with sensor data that had descriptions descriptions, and
> from what I can see the only way to get a description of these is to:
>
> 1. Create the SCOs
> 2. Make observations of the SCOs
> 3. Make a sighting of the observations of the SCOs with a description
>
> I suspect it is now too late to do this, but it could be useful if Observed
> Data objects include a description property or if Sighting could be a sighting
> on an SCO directly in order to shorten this chain. If others have run into
> this issue I'm curious how you worked through it.
>
> //SIGNED//
>
> Jeffrey Mates, Civ DC3/TSD
> Computer Scientist
> Technical Solutions Development
> jeffrey.mates@dc3.mil
> 410-694-4335
>
--
*****************************
Jane Ginn, MSIA, MRP
Secretary, OASIS CTI TC
Sponsor, TAC TC
Sponsor, BP TC
jg@ctin.us
001 (928) 399-0509
*****************************
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
Caution-https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php