STIX 2.0 Tranche 1 Plan: Indicators - STIXProject/specifications GitHub Wiki
Indicator tranche plan
Objective:
To discuss and reach consensus on all in-scope tracker issues for STIX 2.0 that are required to support common indicator use cases.
Target completion date:
February 29, 2016
Proposed workflow:
- Raise and describe the issue with a brief wiki writeup
- Discuss issue on list and/or slack (with summaries made on list). Anyone with proposed solution may add details of their proposal (proposed normative text, examples, diagrams, schema,etc clearly marked as a proposal) to the wiki and announce it to the list.
- Discuss, debate, review proposals, comment as appropriate within defined time window to work towards consensus.
- Discuss key issues on weekly working call.
- If consensus (unanimous or at least no strong objections) reached:
- Capture normative language in pre-draft spec document
- Capture consensus changes in JSON Schema implementation
- Capture consensus changes in UML model
- Capture statement of consensus in issue tracker
- Mark issue tracker as “Consensus Achieved"
- Clearly mark relevant issue wiki pages as “Consensus Achieved” or potentially move them to a separate Consensus repo to avoid confusion
- If consensus not achieved (strong objection exists) within allowed time window:
- Discuss and decide whether issue is absolutely necessary for MVP and if not decide to postpone
- OR
- Capture current consensus status in issue tracker, mark as “Consensus Stalled”, move on to other issues and revisit the issue during last week of tranche
- OR
- Decide to either hold formal vote to decide (more likely for core critical issues)
Proposed prioritization/plan for dealing with Indicator tranche issues (as laid out below):
- Week 1 (2/1 - 2/5)
- Very brief comment window (1 week) on all “Consensus asserted” items below and then tie them off
- Tackle CTI Common “Partial consensus asserted” items below
- IDable construct fields
- Source reference approach and fields
- Relationships
- Week 2 (2/8 - 2/12)
- Tackle General STIX & CybOX “Partial consensus asserted” items below
- Tackle Sightings and Indicator structure
- Week 3 & 4 (2/15 - 2/26)
- Tackle Patterning (Thinking on this is currently occurring and will not stop. This is only a time set aside for focused discussion.)
- Tackle Versioning (Likely okay if we don’t completely tie this one off)
- Tackle Time range format, Indicator_Type vocab and ability to assert indicator as false positive
Issues:
- CTI Common
- Consensus asserted
- Object ID format and requirement (STIX #301, 221)
- Remove abstract base types for “top-level” objects (STIX #311, 386) (F2F consensus)
- Remove Short_Description (STIX #194) (F2F consensus)
- External_IDs property on all IDable constructs (STIX #358, 187) (F2F consensus)
- Controlled Vocabularies (STIX #141)
- Simplify structure for Controlled Vocabularies (F2F consensus)
- Refactor report object (STIX #385) (F2F consensus)
- Data Markings (STIX #8, 231, 379, 378, 185)
- Discrete Timestamp format (STIX #294)
- Partial consensus asserted (some open questions remain)
- Key constructs all extend from a common IDable construct base type (STIX #148)
- Consensus on approach
- Open questions on which fields and names of fields
- Relationships (STIX #291, 201, 139)
- Subclassing
- Develop one or more vocabularies for RelationshipType/Relationship (STIX #4)
- Separate Source construct (STIX #233, 263)
- Consensus on approach
- Open questions on how to relate it to content
- Which fields belong on Source?
- Key constructs all extend from a common IDable construct base type (STIX #148)
- Open topics
- Time range format
- Separate fields or leverage ISO 8061 use of “/“ as extension of consensus discrete timestamp approach.
- Patterning
- Separate patterns and instances (STIX #375)
- Add capability for variable substitution in CybOX for patterning (CybOX #317)
- Add capability to incorporate temporal context and ordering into CybOX patterns (CybOX #316)
- Lists in CybOX object fields (CybOX #380)
- Separate Patterns and Instances in CybOX Observables and Objects (CybOX #381)
- Create Separate Patterning Syntax/Language (CybOX #420)
- Determine Patterning Language Operators (CybOX #421)
- Determine Patterning Language Syntax (CybOX #422)
- Indicator Composition (STIX #200)
- Versioning
- Time range format
- Consensus asserted
- CybOX-specific
- Consensus asserted
- Partial consensus asserted (some open questions remain)
- Refactor/Deprecate Base DataTypes (CybOX #416)
- Issues around Object Subclassing (CybOX #411)
- Common object refactoring complete
- Open topics
- General STIX
- Consensus asserted
- Flatten all aggregating list layers (STIX #262)
- Flatten all the list types in STIXType STIX #382)
- Refactor TTP (STIX #360) (F2F consensus)
- Partial consensus asserted (some open questions remain)
- Kill Chains (STIX #47, 117, 241, 208, 190, 191)
- Open topics
- Consensus asserted
- Indicator-specific
- Consensus asserted
- Partial consensus asserted (some open questions remain)
- Open topics
- Sightings (STIX #306, 359, 240, 198)
- 2-ended-Relationship or 1-ended-assertion?
- Indicator structure (refactoring so that Observable and Test Mechanism are integrated into a single approach)
- Indicator structure simplification (STIX #376)
- Indicator_Type vocab (STIX #243)
- Ability to assert that an indicator is a false positive (STIX #307)
- Sightings (STIX #306, 359, 240, 198)