-
Notifications
You must be signed in to change notification settings - Fork 21
Proposal: Reports Cannot Embed Content
- Status: Rejected
- Closed: March 23, 2015
- Issue: #223
Per previous conversations on the mailing list and in-person calls, the FS-ISAC Report Object Proposal has been accepted for version 1.2 of STIX. In order to present the big picture of whether or not to include the report construct at all certain decisions had to be made but the specifics of those decisions were not discussed by the community.
This proposal presents in detail the decision to prohibit reports from embedding content. The other report object proposals are:
STIX uses a standard mechanism to represent relationships that allows for related content to be either embedded inside the relationship source or related via @idref.
Referenced:
<stix:Indicator>
<indicator:Related_TTPs>
<indicator:Related_TTP>
<stixCommon:TTP idref="id-to-related-ttp" />
</indicator:Related_TTP>
</indicator:Related_TTPs>
</stix:Indicator>Embedded:
<stix:Indicator>
<indicator:Related_TTPs>
<indicator:Related_TTP>
<stixCommon:TTP id="id-of-ttp">
<ttp:Title>Some TTP</ttp:Title>
<!-- SNIP Rest of TTP -->
</stixCommon:TTP>
</indicator:Related_TTP>
</indicator:Related_TTPs>
</stix:Indicator>The current proposal for the report object, however, ONLY allows content in a report to be related by reference, it cannot be embedded. Essentially only the first option above is allowed for this type of relationship.
This has two side effects:
- The Report => Content relationship is different from most other relationships in STIX. The Indicator => Campaign relationship is another example, but in general most relationships do not follow this pattern.
- A use case where a report is published and content is included as part of that report is somewhat less efficient to communicate:
Without Embedded Content
<stix:STIX_Package>
<stix:Indicators>
<stix:Indicator id="id-to-indicator">
<!-- SNIP -->
</stix:Indicator>
</stix:Indicators>
<stix:Reports>
<stix:Report>
<report:Indicators>
<report:Indicator idref="id-to-indicator" />
</report:Indicators>
</stix:Report>
</stix:Reports>
</stix:STIX_Package>With Embedded Content
<stix:STIX_Package>
<stix:Reports>
<stix:Report>
<report:Indicators>
<stix:Indicator id="id-to-indicator">
<!-- SNIP -->
</stix:Indicator>
</report:Indicators>
</stix:Report>
</stix:Reports>
</stix:STIX_Package>Though the difference when comparing a short snippet seems small, when you have reports with a lot of content the extra markup can get fairly long:
The balance to this, however, is the semantic separation between reports and content.
Decision Point: Should Report constructs be allowed to contain content, or should they only reference content defined elsewhere?
Feedback can be sent to the public STIX discussion list (make sure to join first), as a public comment on the github issue for the report object or sent privately to the core STIX team at stix@mitre.org.