Myself, I would prefer that "tag" or "labels" be added to the base TLO Common Properties instead of having special properties for many TLOs but for some other TLOs we do not have any label / tag method. Analysts should be able to tag / label anything in STIX with anything they want. This facility will help them be able to quickly "look up" and categorize objects. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Terry MacDonald ---06/29/2016 06:58:00 PM---I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The communit From: Terry MacDonald <
terry.macdonald@cosive.com> To: "John A. Wunder" <
jwunder@mitre.org> Cc:
cti-stix@lists.oasis-open.org Date: 06/29/2016 06:58 PM Subject: Re: [cti-stix] Labels on STIX TLOs Sent by: <
cti-stix@lists.oasis-open.org> I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The community does prefer the labels field however, and so... I would make the label field optional, and leave it applied just to the objects we can make a case for. I would worry about using it everywhere, as that will restrict us in the future if we decide to make it more specific to each object. Having one list across all objects would worry me that we are restricting our choices later on. Cheers Terry MacDonald Cosive On 30/06/2016 01:24, "Wunder, John A." <
jwunder@mitre.org > wrote: All,
One of the topics that came up across several items on the call yesterday was the “labels” field that currently exists on Indicator, Malware, and Tool. The field is an array of values from an open vocabulary (indicator-label-ov, malware-label-ov, and tool-label-ov respectively).
We have a couple of open questions:
1. Should the labels field be required or optional?
a. If we make labels required, do we need to add a value of “other” to the vocabulary? This will help tools/users who can’t find an existing value in the vocabulary that works but don’t want to make one up. 2. Which TLOs need the labels field? It’s on Indicator, Malware, and Tool now but has not been added to Campaign or Attack Pattern.
a. Allan has suggested adding it across all top-level objects. Does that make sense, or should we consider it on a case-by-case basis?
b. Allan also suggested that if we don’t add it across all top-level objects, it should be added to Campaign. Are there other TLOs that we should add it to, even if we don’t add it across all of them?
To be honest I don’t really have a strong opinion either way. What do you think?
John