[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Storing the Incident extension definition in the OASIS CTI common STIX object repository
Since we’re (evidently) not going to try to address the global issue of representing Incidents as a top-level concept (at this time), then does it make sense to just create this extension (or create another)
as a model of the DC3 ICF? Given the OMB ICF tie-in it needs to be an exact match. Curious what the DC3 Team thinks. Patrick Maroney From:
cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Rich Piazza <rpiazza@mitre.org> Hi Jeff, You may have seen the email that is forwarded (below) about where to store extension definitions.
I was wondering if you could create a pull request for your Incident extension definition. As it says below, DHS/CISA is trying to encourage individuals/organizations who are creating extension definitions
to store them in a common repository. If you feel that your extension definition is just a draft, you may want to wait, but I don’t think there is any harm in “advertising” it now in the common repository. There is a version property on the extension
definition object which would help deal with improvements to the draft. Rich -- Rich Piazza Lead Cyber Security Engineer The MITRE Corporation 781-271-3760 From: <cti@lists.oasis-open.org> on behalf of Rich Piazza <rpiazza@mitre.org> Hi All, With introduction of extensions in STIX 2.1, we are left with the issue of where to store extension definition objects, related schemas, and documentation. Previously we had the SEP repository, which would have
been the location to store such information and “advertise” it to other community members. What is being proposed in this email is NOT required of anyone defining extensions or producing and/or consuming content with extensions, but it is something like the SEP repository which would be useful to STIX
users. We are not sure if this proposal needs to be voted on by the TC. However, we are looking for comments, suggestions, etc., to make this as useful as possible to the community. The recently introduced OASIS CTI common object repository (https://github.com/oasis-open/cti-stix-common-objects)
seems like a good place to store extension information. As part of AIS, DHS/CISA defined ACS data markings and it has been implemented as an extension. We will use it as an example of what we have in mind for storing extension information in that repository. If you go to the repository, it contains a directory called objects. Within this directory are subdirectories for each STIX object type, which contain individual common objects of that object type. Each file
contains one object. The format of the file is a bundle that contains the one object. A directory for extension objects would contain files who names are extension-definition-<id
property of object>.json. See: https://github.com/oasis-open/cti-stix-common-objects/tree/adding-extensions/objects/extensions Here is the file contents for the ACS data marking extension definition: { "type": "bundle", "id": "bundle--1d3fa741-e3bd-451a-acf5-b2f01d075ba7", "objects": [ { "id": "extension-definition--3a65884d-005a-4290-8335-cb2d778a83ce", "type": "extension-definition", "spec_version": "2.1", "name": "isa-acs-3-0", "description": "This schema adds ACS data markings", "created": "2021-02-01T00:00:00.000000Z", "modified": "2021-02-01T00:00:00.000000Z", "created_by_ref": "identity--b3bca3c2-1f3d-4b54-b44f-dac42c3a8f01", "version": "1.0.0", "extension_types": [ "property-extension" ] } ] } Notice the created_by_ref property. This is the id of a STIX identity object that DHS/CISA has chosen for itself. In this repository (NOT a STIX spec requirement) , the name property of the extension definition must correspond with the name of the json schema file (which we will discuss next), assuming there is a json schema
for the extension. The schema property of that object contains a URL that refers to the directory that contains the json schema and documentation for the STIX representation of ACS data markings. These are stored in a different
directory which is a sibling of the objects directory - extension-definition-specifications. Note: these URLs are “live” so you can see what is being proposed, but they are not final, as they exist on a branch in the GitHub repository (for instance, in the final URLs “adding-extensions” would be replace
by “main”) Since the name property of the extension definition is “isa-acs-3-0”, the json schema will be found in: Documentation for this extension is provided in the same directory. It should be in the same style as the STIX specification. Using Word is suggested. If a JSON schema is included, another file is needed by the CTI STIX Validator. It must be named using the type of object that is being extended. For instance, since ACS data markings are an extension of the
marking-definition type – the following file is needed: View that file to understand the concept. Some details of the contents of this file still need to be worked out to specify extensions so they are easy to incorporate into the validator. Contributing Your Extension Assuming this proposal is acceptable, the following guidelines would be used to add new extension definitions to the repository.
Currently the maintainers of this repository are me and Chris Lenk (both of MITRE), but it would be preferable to have others from the TC involved. Rich P. -- Rich Piazza Lead Cyber Security Engineer The MITRE Corporation 781-271-3760 |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]