CTI STIX Subcommittee

Hey folks,


A group of us spent some time hashing through how sighting, observation, and indicator work together (notional tie-in to CybOX and patterning). It’s all reflected in the pre-draft specs for STIX:  https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit


We’ve had pretty good agreement on this so I think at this point we’re ready to move into the review phase. Please take a look at these definitions, fields, and examples and see if they work for you.


PS: The “kind of indicator” (indicator type, indicator category) vocabulary discussion kind of stalled. Who’s interested in that topic? Can we get a small group to work together to make progress on that and bring back a proposal? As a reminder, there was
also a suggestion to split that single field into a field for pattern type and a field for threat type.


John

A hearty "Great Work!" John (and all who have contributed).


Since I'm spamming the list for a good cause:


 A hearty "Great Work!" to Ivan & contributors as well on (1) outlining the different options for CybOX Object representations and (2) providing example Gist references showing how each the different options looks for various use cases.    


Check 'em out - there's links in the document, but you can also access the Gists directly.  You can comment/pose questions, etc. on individual Gists and if your use cases aren't represented, add 'em