STIX 2.0 Proposal5 : Abstract Source to top level construct rather than embedded only within other constructs (#233) - STIXProject/specifications GitHub Wiki

Issue Summary

The source of STIX information is currently captured on many core constructs using InformationSourceType on properties with varying names.

The varying property names cause confusion and having the source as an embedded property within other constructs limits its pivoting ability for sources of content as well as with other identity-based constructs.

There is a stated desire from the community to be able to treat source as a separate concept/construct that can be related to various content and eventually support evaluative metadata about sources such as reliability and credibility.

Proposed

Create a new Source class as a specialization of the IdentityType class to yield the ability to specify identifying details of a given source.

Include the following properties on the new Source class:

  • Tools: ToolInformationType [0..*]
  • References: URI [0..*]

Presuming approval of #291, create a new Related_Source relationship type that can be asserted from any STIX IDable construct instance to a Source instance to specify it as the source of that content.

Proposed Model

Note that field name differences for information source are no longer relevant with abstracting Source and Relationships.

Examples

Example #1: simple indicator with attributed source for the information

JSON Serialization example snippets

Example #1:

{
	"id": "example:src-83dc6b53-ac3d-40e0-82ef-eab173c7ee1e",
	"type": "source",
	"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
	"name": "US-CERT"
}

{
	"id": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
	"type": "indicator",
	"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
	"title": "Sakurel Malware",
	"indicator_expression": "this would be an observable pattern for a particular file hash using the new CybOX patterning language under consideration",
	"indicator_type": [
		{
			"value": "File Hash Watchlist",
			"vocab": "indicator-type-vocab-1.1"			
		}
	]
}

{
	"id": "example:rel-9d0c539e-a874-42c7-a055-3e900b98724f",
	"type": "related-source",
	"timestamp": { "value" : "2015-12-21T19:59:12.000000+00:00" },
	"from": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
	"to": "example:src-83dc6b53-ac3d-40e0-82ef-eab173c7ee1e",
	"relationship_nature": {
		"value": "Has Source"
	}
}

JSON Schema Serialization snippets

Open Questions