1309 osint extension #1310
1309 osint extension #1310
Conversation
PavelJurka
requested review from
floydtree,
pagbabian-splunk,
Aniak5,
mikeradka,
zschmerber,
jonrau-at-queryai and
davemcatcisco
as code owners
pagbabian-splunk
added
enhancement
|
As per the discussion today, we should push this off until 1.5.0. There is a mixture of STIX and vendor-specific (S1) concepts in here that clash with the more genericized incarnation of OSINT. I feel the schema does either require a specific campaign object, a STIX Extension, or we create a separate CTI/Threat Intel Profile/Object that is either standalone or extends OSINT. |
jonrau-at-queryai
added
v1.5.0 or later
and removed
v1.4.0
| @@ -1497,6 +1502,36 @@ | |||
| "description": "Specific pattern, algorithm, fingerprint, or model used for detection.", | |||
| "type": "string_t" | |||
| }, | |||
| "detection_pattern_type": { | |||
| "caption": "Detection Pattern", | |||
| "description": "Specifies the type of detection pattern used to identify the associated threat indicator. This field identifies whether the pattern is based on behavioral analysis, static indicators, or heuristic methods.", | |||
There was a problem hiding this comment.
The standard formula of words used for the description of a string sibling to an enum is:
The Foo, normalized to the caption of the foo_id value. In the case of 'Other', it is defined by the event source.
Yes, there are some exceptions to this but they are defects to my mind.
| }, | ||
| "99": { | ||
| "caption": "Other", | ||
| "description": "Any other type of detection pattern type." |
There was a problem hiding this comment.
The standard formula of words used for the description of the 99 value in any enum is:
The foo is not mapped. See the
fooattribute, which contains a data source specific value.
| @@ -5221,6 +5272,11 @@ | |||
| "description": "The size in bytes of an attribute before truncation. See specific usage.", | |||
| "type": "integer_t" | |||
| }, | |||
| "uploaded_time": { | |||
| "caption": "Uploaded Time", | |||
| "description": "The timestamp indicating when the associated indicator or intelligence was added to the system or repository.", | |||
There was a problem hiding this comment.
A dictionary attribute like uploaded_time is likely to have uses beyond your specific use case here. So I think you should change the description in the dictionary to something more general (e.g. "The timestamp at which an entity was uploaded. See specific usage.") and then provide the description specific to your usage in the place where it's referenced in the osint object.
| "attributes": { | ||
| "name": { | ||
| "description": "The name of a specific campaign associated with a cyber threat.", | ||
| "requirement": "optional" |
There was a problem hiding this comment.
Is it conceivable that there could be a campaign without a name? If not, then it should be required.
Related Issue:
#1309
Description of changes:
We want to use the OSINT profile for threat intelligence, however there are some fields missing from what we currently have. We should align naming to STIX.