STIX 2.0 Proposal3: Add Alternative_IDs to all top level objects (#358, #187) - STIXProject/specifications GitHub Wiki
Issue Summary
While formal STIX-based identifiers are necessary for unambiguously addressing or relating STIX-based content it is also often useful to specify non-STIX-based identifiers for the content from other systems or contexts.
Such fields for alternative identifiers currently exist on Indicators (Alternative_ID) and on Incidents (External_ID).
It would be useful for such capabilities to exist for all STIX IDable constructs with a consistent naming convention.
This is the same issue as "#187"
Proposed
This proposal presumes the approval of the proposal to "Extend core constructs from a single base type (#148)".
Create a new AlternativeIDType and add it as a property to the base IDableConstructType that all IDable constructs derive from.
Actions
- Create a new AlternativeIDType datatype in stixCommon that is a specialization of BasicString and has the following property:
- definer
- this property enables specifying a simple definer/context for the alternative identifier
- reference
- this property enables specifying a reference for the alternative identifier
- definer
- Create the following property on IDableConstructType (presumes the approval of the proposal "Extend core constructs from a single base class (#148)"
- Alternative_ID : AlternativeIDType [0..*]
Proposed Model
Examples
Example #1: simple Indicator with Alternative ID
Example #2: simple Incident with Alternative_ID
Example #3: simple Campaign with Alternative_ID
JSON Schema Serialization snippets
Example #1:
{
"id": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
"type": "indicator",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"alternative_id": [
{
"value": "19-25665",
"definer": "ACME Indicator Repository"},
{"value" : "Trojan.Sakurel"}
],
"title": "Sakurel Malware",
"indicator_expression": "this would be an observable pattern for a particular file hash using the new CybOX patterning language under consideration",
"indicator_type": [
{
"value": "File Hash Watchlist",
"vocab": "indicator-type-vocab-1.1"
}
]
}
Example #2:
{
"id": "example:inc-83422c77-904c-4dc1-aff5-5c38f3a2c55c",
"type": "incident",
"timestamp": { "value" : "2015-12-21T19:59:17.000000+00:00" },
"alternative_id": [
{
"value": "99374453700",
"definer": "HC CERT RTIR"
}
],
"title": "Anthem Breach",
"status": {
"value": "Incident Reported",
"vocab": "incident-status-vocab-1.0"
}
}
Example #3:
{
"id": "example:cam-83422c77-904c-4dc1-aff5-5c38f3a2c55c",
"type": "campaign",
"timestamp": { "value": "2015-12-21T19:59:17.000000+00:00" },
"alternative_id": [
{"value": "BlackVine"}
],
"title": "Black Vine Healthcare Campaign",
}