STIX 2.0 Proposal3: Add Alternative_IDs to all top level objects (#358, #187) - STIXProject/specifications GitHub Wiki

Issue Summary

While formal STIX-based identifiers are necessary for unambiguously addressing or relating STIX-based content it is also often useful to specify non-STIX-based identifiers for the content from other systems or contexts.

Such fields for alternative identifiers currently exist on Indicators (Alternative_ID) and on Incidents (External_ID).

It would be useful for such capabilities to exist for all STIX IDable constructs with a consistent naming convention.

This is the same issue as "#187"

Proposed

This proposal presumes the approval of the proposal to "Extend core constructs from a single base type (#148)".

Create a new AlternativeIDType and add it as a property to the base IDableConstructType that all IDable constructs derive from.

Actions

  • Create a new AlternativeIDType datatype in stixCommon that is a specialization of BasicString and has the following property:
    • definer
      • this property enables specifying a simple definer/context for the alternative identifier
    • reference
      • this property enables specifying a reference for the alternative identifier
  • Create the following property on IDableConstructType (presumes the approval of the proposal "Extend core constructs from a single base class (#148)"
    • Alternative_ID : AlternativeIDType [0..*]

Proposed Model

Examples

Example #1: simple Indicator with Alternative ID

Example #2: simple Incident with Alternative_ID

Example #3: simple Campaign with Alternative_ID

JSON Schema Serialization snippets

Example #1:

{
	"id": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
	"type": "indicator",
	"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
	"alternative_id": [
		{
			"value": "19-25665",
			"definer": "ACME Indicator Repository"},
		{"value" : "Trojan.Sakurel"}
	],
	"title": "Sakurel Malware",
	"indicator_expression": "this would be an observable pattern for a particular file hash using the new CybOX patterning language under consideration",
	"indicator_type": [
		{
			"value": "File Hash Watchlist",
			"vocab": "indicator-type-vocab-1.1"			
		}
	]
}

Example #2:

{
	"id": "example:inc-83422c77-904c-4dc1-aff5-5c38f3a2c55c",
	"type": "incident",
	"timestamp": { "value" : "2015-12-21T19:59:17.000000+00:00" },
	"alternative_id": [
		{
			"value": "99374453700",
			"definer": "HC CERT RTIR"
		}
	],
	"title": "Anthem Breach",
	"status": {
		"value": "Incident Reported",
		"vocab": "incident-status-vocab-1.0"
	}
}

Example #3:

{
	"id": "example:cam-83422c77-904c-4dc1-aff5-5c38f3a2c55c",
	"type": "campaign",
	"timestamp": { "value": "2015-12-21T19:59:17.000000+00:00" },
	"alternative_id": [
		{"value": "BlackVine"}
	],
	"title": "Black Vine Healthcare Campaign",
}

JSON Serialization example snippets

Open Questions