Skip to content

June 2014 Community Meeting

Jump to bottom Edit New page
John Wunder edited this page Jul 9, 2014 · 1 revision

Attendees

Around 37 community members joined the call.

Minutes

Report Object

  • Sean characterized the recent discussion.
  • Aharon DTCC/FS-ISAC - building a system that manipulates and transmits lots of STIX data.
    • No requirement for data within a STIX_Package to be related in any way. Because of that they produce and consume data that isn’t related and is in the same STIX_Package.
    • Aharon wants a way to know that certain data is related within a STIX_Package.
  • Trey Darley – There are enough ways of representing data and relationships
  • Mike Pepin – It would be useful to have a way of saying “These X objects have a relationship” and “Those Y objects have a relationship” without having to break them up into separate XML instance documents.
  • Aharon – Lots of times, a conglomerate of data will come in a single STIX_Package.
    • The use case: “A new object that correlates objects together, by ID, with a specific context”.
  • Sean described the STIX_Packages construct, and asked if Aharon wants/needs something else.
  • Ben Yates – I think many people look at STIX object as being first class objects that can relate to each other. The vision seems to be that people will make huge piles of first class objects that are related. The problem is that they feel like first class objects but they are not because they are stuck in a STIX_Package, which implies some kind of meaning.
    • Sometimes Ben wants to group things by meaning
    • Report object is a better name, is a first class object
  • Sean: sees why the naming is something that could be improved, the reason why we didn’t change STIX_Package to report within STIX 1.1 is because a name change would have broken backwards compatibility. However, he thinks that the capability is there.
  • Ben – Assume a case where I want to assemble a large number of objects, but doesn’t want a relationship between them. They are required to be in a STIX_Package, which implies a meaning that doesn’t exist.
  • Sean – You could specify that through the Package Intent
  • Aharon – The problem is that the package sometimes means intent and sometimes doesn’t.
  • ??? – As an analogy, being able to determine that forwarded mail (unrelated) vs. mail from a lawyer (related)
  • No consensus, plenty of discussion
  • Bret bluecoat – likes the idea of what FS-ISAC is proposing, would like the details/full implications of the proposal. Having vast amounts of info and marrying it with other repos is hard. Would like definitive example.

STIX Team can better help you

  • Marlon – Think it would be helpful to see “hey, I can extend this vocabulary”. Help non-xml people. Possibly show extending a vocab, creating a new vocab.
  • An editor that uses the APIs to create a STIX editor
  • Ben Yates – Likes both ideas
  • python-stix has no support for new vocab definitions
  • the xsi:type is lost
  • Bryan – python-stix can accept arbitrary values
  • Mike Pepin - Use validator as the gold standard. Will we go back to make sure the validator “is doing this”?
    • Aka accepting foreign vocabularies.
    • Bryan – should be able to
    • CISCP data doesn’t validate against the validator because they add vocabulary entries.
    • Ben Yates – XSI type is dropped, string is compared with one file
    • It would be nice if “libstix” had a way to compare objects.

Documentation Improvements

  • Pat Maroney – so many ways to skin a cat, work on the websites is fantastic, great improvement. More examples and idioms.
  • Bret/Bluecoat – more examples that are more in detail, not just a basic concept. Sent out a message to the list, didn’t really get a response about an HTTPRequest Chain (?). Sometimes it’s not clear when you are switching namespaces how to fit that all together.
  • Pat – new tools to create content / idioms, could we have a quick session where we teach people how to contribute to stixproject.github.io.
  • There seems to be a few different ways to put things in STIX, would be nice to get MITRE (or community) guidance on how to do specific things. Document common things seen on a host or on a network.
    • Handling botnet activity
  • Marlon – extension of vocabularies idiom

Open source data feeds to map

  • Number of vendors working to map open source data feeds

LMCO Briefing

  • LMCO will post slides to discussion list
  • STIX team needs to figure out how to host community profiles

Free form

  • Profiles – Main thing: making them machine automatable would be nice. Has to be human readable by non technical people and machine readable.
  • Requests for a roadmap

Action Items

  • Create some documentation for controlled vocabulary creation
  • Create an idiom for working with controlled vocabs
  • LMCO to post slide deck to stix-discussion-list
  • Determine out how to host community profiles
  • Develop/publish a roadmap
Add a custom footer
Add a custom sidebar
Clone this wiki locally