CTI STIX Subcommittee

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Greetings folks. Was going over the STIX Wiki looking at the use-case pages and noticed that none of them seem to provide any actual use-cases. Most (if not all) are merely titles with the stock template. The only real use-cases seem to be in XML, which is tedious for a documentation format. That and the current use-case template doesn't seem to define anything resembling a "use-case" but rather meta-information about the use-case. I wasn't able to find anything of the form "if condition A AND condition B or condition C then take this action" that define actual use-cases. Are there any plans for the templates to be modified to better reflect this, or for the current Wiki pages to be "fleshed out" enough to make them actually useful? - -- christian o. hunt principal engineer cvoid@newcontext.com gpg key available on request -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWYOw4AAoJEMvytv7UvjPFgJ0QAIDg3iOvSSrul212YmrkYH2f pHA9kAGlFaB6i4TZTCghZyE718Gl8XkLFDD6W/b9pCCedy2fm7CSffdaKjF5GnJ2 /GDrGcyC24dtQb5Jc1P9KZ0kD/E8fHt8c0iqu0DnCRkbgQ4Y/JfarcQkcTtT+UJ3 UYlc8kSHrVwVgFFwBDg0JvhSfXRLNYNzk16DO0uxc6/ouKoPUkI/mTBqaO6ojD++ L8lQrydQlISX3ktqV7ywFu0pmdZhifyaAO9LTfj/DuMO2y4QDFu3zHLtcGXSHGTi vOfapnPzGjuva1p9Xfp2wllVPjMJwl0+RnMqjxUXq4XTOIJf1j3eWBJ79/O5wkP/ YBSkhNUv5MzrD/U2GQvWpjVK5PfZk7YnS5gEvt8RXGK78SHW7622hci4Vv9OOCdF 9JiZIlQD+sNGi/lQQDPfVHzwrApSGujk+MXCBegQh0E5AsA18Q0fAuujW5jLAUEx nC7pGHNXWC+zW1Jq7doHUbk1G/2+V1SzD7iHgDG+XCmC6P0O2eXaIowNpzkqHneg zngi3rY6TVTq/2WeN9B9UYUD3DVAPqXntMvkpbywyXU4OKlSBZP8DRRBmxkiBzy5 Y9ypzU+i6bAiaJ9kuM3SnuX/wBXY77kyScY3hf6gvwN3Pog2siMrPtr1PAzybCeM egp7hTtnWKEL8m6+1Nny =EFhl -----END PGP SIGNATURE-----

Greetings, I get your point. I would recommend to look at the Algorithms in the attached document to understand what Christian is (I think :)) asking for. I strongly suggest to use this method. (But, of course, both Christian and me would have to participate... ;-)) Best regards 2015-12-04 4:28 GMT+03:00 Christian Hunt <cvoid@newcontext.com>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > Greetings folks. > > Was going over the STIX Wiki looking at the use-case pages and noticed > that none of them seem to provide any actual use-cases. Most (if not > all) are merely titles with the stock template. The only real use-cases > seem to be in XML, which is tedious for a documentation format. That and > the current use-case template doesn't seem to define anything resembling > a "use-case" but rather meta-information about the use-case. > > I wasn't able to find anything of the form "if condition A AND condition > B or condition C then take this action" that define actual use-cases. > Are there any plans for the templates to be modified to better reflect > this, or for the current Wiki pages to be "fleshed out" enough to make > them actually useful? > > - -- > christian o. hunt > principal engineer > cvoid@newcontext.com > > gpg key available on request > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - https://gpgtools.org > > iQIcBAEBCgAGBQJWYOw4AAoJEMvytv7UvjPFgJ0QAIDg3iOvSSrul212YmrkYH2f > pHA9kAGlFaB6i4TZTCghZyE718Gl8XkLFDD6W/b9pCCedy2fm7CSffdaKjF5GnJ2 > /GDrGcyC24dtQb5Jc1P9KZ0kD/E8fHt8c0iqu0DnCRkbgQ4Y/JfarcQkcTtT+UJ3 > UYlc8kSHrVwVgFFwBDg0JvhSfXRLNYNzk16DO0uxc6/ouKoPUkI/mTBqaO6ojD++ > L8lQrydQlISX3ktqV7ywFu0pmdZhifyaAO9LTfj/DuMO2y4QDFu3zHLtcGXSHGTi > vOfapnPzGjuva1p9Xfp2wllVPjMJwl0+RnMqjxUXq4XTOIJf1j3eWBJ79/O5wkP/ > YBSkhNUv5MzrD/U2GQvWpjVK5PfZk7YnS5gEvt8RXGK78SHW7622hci4Vv9OOCdF > 9JiZIlQD+sNGi/lQQDPfVHzwrApSGujk+MXCBegQh0E5AsA18Q0fAuujW5jLAUEx > nC7pGHNXWC+zW1Jq7doHUbk1G/2+V1SzD7iHgDG+XCmC6P0O2eXaIowNpzkqHneg > zngi3rY6TVTq/2WeN9B9UYUD3DVAPqXntMvkpbywyXU4OKlSBZP8DRRBmxkiBzy5 > Y9ypzU+i6bAiaJ9kuM3SnuX/wBXY77kyScY3hf6gvwN3Pog2siMrPtr1PAzybCeM > egp7hTtnWKEL8m6+1Nny > =EFhl > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > Attachment: Scalable_Security-Cyber_Threat_Information_Sharing_in_the_Internet_Age.pdf Description: Adobe PDF document

Jerome: Thanks for the PDF.  Another interesting find.  By applying insights from computing to policy designs using the computational policy technique, we can leverage greater knowledge to obtain better outcomes and more scalable policy solutions to the pressing, growing, “large-n” problems of modern life, including but not limited to cybersecurity. It is a stretch from the Algorithms section of that paper to flushing out Use Cases (as Christian suggests)...but, I get the link you are making.  Agreed.  We need to do this as a foundational part of Sean's Roadmap.  Jane On 12/4/2015 9:06 PM, Jerome Athias wrote: > Greetings, > > I get your point. > I would recommend to look at the Algorithms in the attached document > to understand what Christian is (I think :)) asking for. > I strongly suggest to use this method. > (But, of course, both Christian and me would have to participate... ;-)) > > Best regards > > > > 2015-12-04 4:28 GMT+03:00 Christian Hunt <cvoid@newcontext.com> : Greetings folks. Was going over the STIX Wiki looking at the use-case pages and noticed that none of them seem to provide any actual use-cases. Most (if not all) are merely titles with the stock template. The only real use-cases seem to be in XML, which is tedious for a documentation format. That and the current use-case template doesn't seem to define anything resembling a use-case but rather meta-information about the use-case. I wasn't able to find anything of the form if condition A AND condition B or condition C then take this action that define actual use-cases. Are there any plans for the templates to be modified to better reflect this, or for the current Wiki pages to be fleshed out enough to make them actually useful? >> >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail.  Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail.  Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php -- Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. jg@ctin.us

Christian - dumb question. Are you asking about the existing STIX 1.x use cases or the proposed STIX 2.0 use cases? Aharon On 12/3/15, 8:28 PM, "cti-stix@lists.oasis-open.org on behalf of Christian Hunt" <cti-stix@lists.oasis-open.org on behalf of cvoid@newcontext.com> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > > >Greetings folks. > >Was going over the STIX Wiki looking at the use-case pages and noticed >that none of them seem to provide any actual use-cases. Most (if not >all) are merely titles with the stock template. The only real use-cases >seem to be in XML, which is tedious for a documentation format. That and >the current use-case template doesn't seem to define anything resembling >a "use-case" but rather meta-information about the use-case. > >I wasn't able to find anything of the form "if condition A AND condition >B or condition C then take this action" that define actual use-cases. >Are there any plans for the templates to be modified to better reflect >this, or for the current Wiki pages to be "fleshed out" enough to make >them actually useful? > >- -- >christian o. hunt >principal engineer >cvoid@newcontext.com > >gpg key available on request >-----BEGIN PGP SIGNATURE----- >Comment: GPGTools - https://gpgtools.org > >iQIcBAEBCgAGBQJWYOw4AAoJEMvytv7UvjPFgJ0QAIDg3iOvSSrul212YmrkYH2f >pHA9kAGlFaB6i4TZTCghZyE718Gl8XkLFDD6W/b9pCCedy2fm7CSffdaKjF5GnJ2 >/GDrGcyC24dtQb5Jc1P9KZ0kD/E8fHt8c0iqu0DnCRkbgQ4Y/JfarcQkcTtT+UJ3 >UYlc8kSHrVwVgFFwBDg0JvhSfXRLNYNzk16DO0uxc6/ouKoPUkI/mTBqaO6ojD++ >L8lQrydQlISX3ktqV7ywFu0pmdZhifyaAO9LTfj/DuMO2y4QDFu3zHLtcGXSHGTi >vOfapnPzGjuva1p9Xfp2wllVPjMJwl0+RnMqjxUXq4XTOIJf1j3eWBJ79/O5wkP/ >YBSkhNUv5MzrD/U2GQvWpjVK5PfZk7YnS5gEvt8RXGK78SHW7622hci4Vv9OOCdF >9JiZIlQD+sNGi/lQQDPfVHzwrApSGujk+MXCBegQh0E5AsA18Q0fAuujW5jLAUEx >nC7pGHNXWC+zW1Jq7doHUbk1G/2+V1SzD7iHgDG+XCmC6P0O2eXaIowNpzkqHneg >zngi3rY6TVTq/2WeN9B9UYUD3DVAPqXntMvkpbywyXU4OKlSBZP8DRRBmxkiBzy5 >Y9ypzU+i6bAiaJ9kuM3SnuX/wBXY77kyScY3hf6gvwN3Pog2siMrPtr1PAzybCeM >egp7hTtnWKEL8m6+1Nny >=EFhl >-----END PGP SIGNATURE----- > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/5/15 6:49 AM, Aharon Chernin wrote: > Christian - dumb question. Are you asking about the existing STIX > 1.x use cases or the proposed STIX 2.0 use cases? The wiki at https://github.com/STIXProject/use-cases/wiki is where I was looking. - -- christian o. hunt principal engineer cvoid@newcontext.com gpg key available on request -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWZc2CAAoJEMvytv7UvjPFxO8QAKzasnkMw2PV97UdCZQggKXm m1rdMySpGvGRlkOBi/rLg6RhC7qC9l7K3vuZRgWStWUFCP+KY0P0tZZKuiPs86nq M3+BEo+fC4P6MKg+pjrnViGko2L/vnhtR4G+I8M1wWloBeBtdQ+/20i6y5OprVg+ nY3Ke3CEuTs5KzimbRYmGao6XhFQCnQwSDnJbH7/UbTUhsZd6Mr2h4R/V3pwcWJx QPAqKJMIz2pTjAN8wnfL0gzIIZFW7viPqWiwl/UZz65KGTruD9uHnfLABtbx4c6I IqQHc5Hn21vSRewWC9pHvCczCG3yJBhHjrozgf6gNI/SpbxYeU00zwHxZXuFlEFv c+69tlpFoC0Vis5JBWIRpB3HaCO5qGNInmtbCRezN3l9Mh2U7uzn+CImf1CmBtCF 0ZRFU1dqI/mSEwWn0lPHVCZBZVII2F8dEFSLx9Pc0vPp4/dT1ZM/1RSHOmzbQYYI +NSaka+rGhjrY5sNVJNlxlQlQbGQQeATBpkTbp9gVv9ohqLAj2ufOLQHXaAb2xkg tFY0Zuesz++0kbZrKBRySwUax8IutdocrEEPG/fu3CoI25QjM/1J5/Jjy6TeWC03 b5iscWzg1QDwrTLZV+TQKkUD3eVB9LqxUOq9FJj1JkT6jCx0b2ZUWk7xPyfXvcZu EasU2phOe1Y3Uc/RjlcG =VSAi -----END PGP SIGNATURE-----

Hi Christian, I apologize for the delayed response. Fighting fires as usual. You are correct that many of the use cases have been identified but not fleshed out. Most of these use cases were implicitly identified and understood as part of the development of STIX over the last few years but were never explicitly codified in an official way. As you can imagine capturing them all now after the fact is a significant amount of work especially for areas where the community may not have 100% consensus agreement. Given the amount of effort required and the desire of the community to continue to make progress on known issues with the language and not take a long pause to get all of the use cases perfect it was decided that we would flesh out use cases as rapidly as we could while still moving forward. For specific issues we are discussing we will attempt to ensure the relevant use cases are fleshed out. The reality is that doing this fleshing out of use cases is not the job of any particular people and will require all of use to contribute our thoughts and time in working on them. The wiki pages for the use cases are all open for folks to actively contribute. The more time we can get from the community to contribute this way the faster we can get them all fleshed out. If this is something you feel passionate/knowledgeable about and are willing to put some time into it we would love to have you involved. Similarly, if you have specific recommendations for what sort of information you feel is important please feel free to suggest it. It may be a good idea to pick a particular use case and any specific suggested additions or adornments you would like to propose and then point us to it as an example. That way we can all talk about it and decide if it is something that would be beneficial across the set of use cases. Thank you for your input and we look forward to further discussing this with you. sean On 12/3/15, 8:28 PM, "cti-stix@lists.oasis-open.org on behalf of Christian Hunt" <cti-stix@lists.oasis-open.org on behalf of cvoid@newcontext.com> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > > >Greetings folks. > >Was going over the STIX Wiki looking at the use-case pages and noticed >that none of them seem to provide any actual use-cases. Most (if not >all) are merely titles with the stock template. The only real use-cases >seem to be in XML, which is tedious for a documentation format. That and >the current use-case template doesn't seem to define anything resembling >a "use-case" but rather meta-information about the use-case. > >I wasn't able to find anything of the form "if condition A AND condition >B or condition C then take this action" that define actual use-cases. >Are there any plans for the templates to be modified to better reflect >this, or for the current Wiki pages to be "fleshed out" enough to make >them actually useful? > >- -- >christian o. hunt >principal engineer >cvoid@newcontext.com > >gpg key available on request >-----BEGIN PGP SIGNATURE----- >Comment: GPGTools - https://gpgtools.org > >iQIcBAEBCgAGBQJWYOw4AAoJEMvytv7UvjPFgJ0QAIDg3iOvSSrul212YmrkYH2f >pHA9kAGlFaB6i4TZTCghZyE718Gl8XkLFDD6W/b9pCCedy2fm7CSffdaKjF5GnJ2 >/GDrGcyC24dtQb5Jc1P9KZ0kD/E8fHt8c0iqu0DnCRkbgQ4Y/JfarcQkcTtT+UJ3 >UYlc8kSHrVwVgFFwBDg0JvhSfXRLNYNzk16DO0uxc6/ouKoPUkI/mTBqaO6ojD++ >L8lQrydQlISX3ktqV7ywFu0pmdZhifyaAO9LTfj/DuMO2y4QDFu3zHLtcGXSHGTi >vOfapnPzGjuva1p9Xfp2wllVPjMJwl0+RnMqjxUXq4XTOIJf1j3eWBJ79/O5wkP/ >YBSkhNUv5MzrD/U2GQvWpjVK5PfZk7YnS5gEvt8RXGK78SHW7622hci4Vv9OOCdF >9JiZIlQD+sNGi/lQQDPfVHzwrApSGujk+MXCBegQh0E5AsA18Q0fAuujW5jLAUEx >nC7pGHNXWC+zW1Jq7doHUbk1G/2+V1SzD7iHgDG+XCmC6P0O2eXaIowNpzkqHneg >zngi3rY6TVTq/2WeN9B9UYUD3DVAPqXntMvkpbywyXU4OKlSBZP8DRRBmxkiBzy5 >Y9ypzU+i6bAiaJ9kuM3SnuX/wBXY77kyScY3hf6gvwN3Pog2siMrPtr1PAzybCeM >egp7hTtnWKEL8m6+1Nny >=EFhl >-----END PGP SIGNATURE----- > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >