Flattening of lists within Package is one of the issues that we seem to have general consensus on but have not yet agreed to normative text.
Proposed normative text is now available for your review in the STIX 2.0 Specification Pre-draft document.
It is fairly straightforward and should not take long to consider.
Please review the normative text and add comments to the document for any concerns, questions or ideas you may have.
If we do not see any significant concerns/objections to the normative text by Monday we will consider this issues to have officially achieved consensus and move on to others.
For the quick convenience of anyone having difficulty accessing the live specification pre-draft document the relevant text is included below.
STIX Package Object ( package )
Property
Name
Type
Description
type
(required)
string
Indicates that this object is a STIX Package. The value of this field
MUST
be package
id
(required)
id
From CTI-Common Core
campaigns
(optional)
array
of type campaign
Specifies a set of one or more Campaigns.
course_of_actions
(optional)
array
of type course-of-action
Specifies a set of one or more Courses of Action that could be taken in
regard to one of more cyber threats .
exploit_targets
(optional)
array
of type exploit-target
Specifies a set of zero or more potential targets for exploitation.
identities
(optional)
array
of type identity
Specifies a set of one or more identities of individuals or organizations.
incidents
(optional)
array
of type incident
Specifies a set of one or more cyber threat Incidents.
indicators
(optional)
array
of type indicator
Specifies a set of one or more cyber threat Indicators.
observations
(optional)
array
of type observation
Specifies a set of one or more cyber observations.
references
(optional)
array
of type reference
Specifies a set of one or more references to a non-STIX object
relationships
(optional)
array
of type relationship
Specifies a set of one or more relationships between top-level objects
(TLOs).
reports
(optional)
array
of type report
Specifies a set of one or more reports.
sightings
(optional)
array
of type sighting
Specifies a set of one or more sightings.
threat_actors
(optional)
array
of type threat-actor
Specifies a set of one or more Threat Actors.
tools
(optional)
array
of type tool
Specifies a set of one or more tools that an adversary or analyst may
leverage.
ttps
(optional)
array
of type ttp
Specifies a set of one or more cyber threat adversary Tactics, Techniques
or Procedures (TTPs)