OCA OpenDXL-Ontology vs OpenC2 - topic for IC-SC

[duncan sfractal.com <duncan@sfractal.com>]

Iâm sending this as sfractal, not OpenC2 chair. Iâd like to add another topic to IC-SC agenda.

 

The OCA OpenDXL-Ontology has a FAQ (https://github.com/opencybersecurityalliance/opendxl-ontology/wiki/FAQ#general) about OpenC2 as follows:

Q: How is the OpenDXL Ontology different from OpenC2?

A: The goal of the OpenDXL Ontology is to incorporate many different common and open standards (OpenC2 being one of them). The ontology supports "actions" which on the surface appear similar to OpenC2 "commands". However, the goal of the ontology is to take full advantage of the messaging fabric that it is based upon. Thus, it should be possible to send a single "action" message to the fabric and have multiple services respond (one to many). For example, a client might send a single "quarantine action" message to the fabric and have a diverse set of services take action (a firewall, endpoint, and ticketing system). Supporting one action to many responses requires that OpenDXL Ontology actions be more generic than their OpenC2 counterparts.

The OpenDXL Ontology also supports the concept of "notification" messages. These are messages that are used to notify clients currently connected to the fabric when significant events occur (a virus is detected, etc.). OpenC2 does not currently have an equivalent concept.

 

I have my own views on this statement; but before I open an issue with the OCA, I think this should be discussed in the IC-SC to make sure Iâm not offbase.

 

I do agree we do not have ânotificationsâ â although that is an open item for OC2 so maybe we will have at some point.

 

I also agree we do not have âcompoundâ actions as yet. This is another can we kicked down the road.

 

However I do think the OpenC2 over OpenDXL is a topic being worked in IC-SC and maybe we should work it harder (ie not wait for McAfee to submit something to OC2 since I imply from all this that they are choosing to submit to OCA â we can read them on OCA).

 

I donât personally think OpenDXL âactionsâ are different than OC2 âcommandsâ in cases other than mentioned above (compound/atomic, notifications). Eg I think OpenDXL âblacklistâ (see https://github.com/opencybersecurityalliance/opendxl-ontology/blob/master/schema/actions/blacklist_url_actions.json) is the same as OC2 âdenyâ and I see no value in using a different word.

 

Similarly, OpenDXL chose a different API structure than the OpenD2 HTTPS spec â ie they take some of the info out of the json and put it in the url, and their json also has some differences. https://github.com/opencybersecurityalliance/opendxl-ontology/blob/master/schema/actions/blacklist_url_actions.json is the json for one example. To see the url differences requires leaving opendxl-ontology and going into opendxl â which strictly speaking is not a OCA project (which Iâll confess I donât totally understand the distinction) and I canât find the example (hopefully someone can by meeting). I think you can infer it from https://github.com/OAI/OpenAPI-Specification/blob/master/examples/v2.0/json/petstore-separate/spec/swagger.json (eg the âtargetâ, pet in this example, is in the url (lines 30, 65, 90, â) but I thought I had a more obvious example somewhere.

 

Rather than many people create potentially conflicting issues on the OCA system, Iâd prefer we discuss first so we could create present a coherent case for harmonization of OpenDXL and OpenC2.

 

Whatever we decide, we should also have a âHow is the OpenDXL Ontology different from OpenC2?â in the OpenC2 github

 

 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/