CTI STIX Subcommittee

On some SCO objects relationships such as resolves_to_refs have been deprecated in favour of the new SCO relationship mechanism. However, we have not yet codified how one is to traverse these relationships inside a STIX pattern. As a result - there is now no way to match in a pattern against an SCO object that is tying an IP address and a domain name or an IP and an ASN. We have this use case actually in use today - and are unsure how to bring this forward to 2.1. Is the producer supposed to use the deprecated form in order to communicate this use case? Since using the new form, is not going to work with patterning? 2.1 CSD 02 illustrates this problem because resolves_to_refs is marked as deprecated, yet it is used in two different examples. Using deprecated properties in examples is very odd. I think that either guidelines need to be added as to how to handle this use case that exists in 2.1, or resolves_to_refs and belongs_to_refs should not be marked as deprecated. - Jason Keirstead Chief Architect - IBM Security Threat Management www.ibm.com/security "Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure." - Thomas J. Watson

Jason, Would you be able to write up what changes are needed to patterning to address this? Also, if you can point out the sections that have bad examples, we can get them fixed. Bret On Mon, Dec 16, 2019 at 6:38 AM Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: On some SCO objects relationships such as resolves_to_refs have been deprecated in favour of the new SCO relationship mechanism. However, we have not yet codified how one is to traverse these relationships inside a STIX pattern. As a result - there is now no way to match in a pattern against an SCO object that is tying an IP address and a domain name or an IP and an ASN. We have this use case actually in use today - and are unsure how to bring this forward to 2.1. Is the producer supposed to use the deprecated form in order to communicate this use case? Since using the new form, is not going to work with patterning? 2.1 CSD 02 illustrates this problem because resolves_to_refs is marked as deprecated, yet it is used in two different examples. Using deprecated properties in examples is very odd. I think that either guidelines need to be added as to how to handle this use case that exists in 2.1, or resolves_to_refs and belongs_to_refs should not be marked as deprecated. - Jason Keirstead Chief Architect - IBM Security Threat Management www.ibm.com/security "Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure." - Thomas J. Watson -- Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 ÂF2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."