STIX 2.0 Tranche 1 Plan: Indicators - STIXProject/specifications GitHub Wiki

Indicator tranche plan

Objective:

To discuss and reach consensus on all in-scope tracker issues for STIX 2.0 that are required to support common indicator use cases.

Target completion date:

February 29, 2016

Proposed workflow:

  • Raise and describe the issue with a brief wiki writeup
  • Discuss issue on list and/or slack (with summaries made on list). Anyone with proposed solution may add details of their proposal (proposed normative text, examples, diagrams, schema,etc clearly marked as a proposal) to the wiki and announce it to the list.
  • Discuss, debate, review proposals, comment as appropriate within defined time window to work towards consensus.
  • Discuss key issues on weekly working call.
  • If consensus (unanimous or at least no strong objections) reached:
    • Capture normative language in pre-draft spec document
    • Capture consensus changes in JSON Schema implementation
    • Capture consensus changes in UML model
    • Capture statement of consensus in issue tracker
    • Mark issue tracker as “Consensus Achieved"
    • Clearly mark relevant issue wiki pages as “Consensus Achieved” or potentially move them to a separate Consensus repo to avoid confusion
  • If consensus not achieved (strong objection exists) within allowed time window:
    • Discuss and decide whether issue is absolutely necessary for MVP and if not decide to postpone
    • OR
    • Capture current consensus status in issue tracker, mark as “Consensus Stalled”, move on to other issues and revisit the issue during last week of tranche
    • OR
    • Decide to either hold formal vote to decide (more likely for core critical issues)

Proposed prioritization/plan for dealing with Indicator tranche issues (as laid out below):

  • Week 1 (2/1 - 2/5)
    1. Very brief comment window (1 week) on all “Consensus asserted” items below and then tie them off
    2. Tackle CTI Common “Partial consensus asserted” items below
    3. IDable construct fields
    4. Source reference approach and fields
    5. Relationships
  • Week 2 (2/8 - 2/12)
    1. Tackle General STIX & CybOX “Partial consensus asserted” items below
    2. Tackle Sightings and Indicator structure
  • Week 3 & 4 (2/15 - 2/26)
    1. Tackle Patterning (Thinking on this is currently occurring and will not stop. This is only a time set aside for focused discussion.)
    2. Tackle Versioning (Likely okay if we don’t completely tie this one off)
    3. Tackle Time range format, Indicator_Type vocab and ability to assert indicator as false positive

Issues:

  • CTI Common
    • Consensus asserted
      • Object ID format and requirement (STIX #301, 221)
      • Remove abstract base types for “top-level” objects (STIX #311, 386) (F2F consensus)
      • Remove Short_Description (STIX #194) (F2F consensus)
      • External_IDs property on all IDable constructs (STIX #358, 187) (F2F consensus)
      • Controlled Vocabularies (STIX #141)
        • Simplify structure for Controlled Vocabularies (F2F consensus)
      • Refactor report object (STIX #385) (F2F consensus)
      • Data Markings (STIX #8, 231, 379, 378, 185)
      • Discrete Timestamp format (STIX #294)
    • Partial consensus asserted (some open questions remain)
      • Key constructs all extend from a common IDable construct base type (STIX #148)
        • Consensus on approach
        • Open questions on which fields and names of fields
      • Relationships (STIX #291, 201, 139)
        • Subclassing
        • Develop one or more vocabularies for RelationshipType/Relationship (STIX #4)
      • Separate Source construct (STIX #233, 263)
        • Consensus on approach
        • Open questions on how to relate it to content
        • Which fields belong on Source?
    • Open topics
      • Time range format
        • Separate fields or leverage ISO 8061 use of “/“ as extension of consensus discrete timestamp approach.
      • Patterning
        • Separate patterns and instances (STIX #375)
        • Add capability for variable substitution in CybOX for patterning (CybOX #317)
        • Add capability to incorporate temporal context and ordering into CybOX patterns (CybOX #316)
        • Lists in CybOX object fields (CybOX #380)
        • Separate Patterns and Instances in CybOX Observables and Objects (CybOX #381)
        • Create Separate Patterning Syntax/Language (CybOX #420)
        • Determine Patterning Language Operators (CybOX #421)
        • Determine Patterning Language Syntax (CybOX #422)
        • Indicator Composition (STIX #200)
      • Versioning
  • CybOX-specific
  • General STIX
  • Indicator-specific
    • Consensus asserted
    • Partial consensus asserted (some open questions remain)
    • Open topics
      • Sightings (STIX #306, 359, 240, 198)
        • 2-ended-Relationship or 1-ended-assertion?
      • Indicator structure (refactoring so that Observable and Test Mechanism are integrated into a single approach)
        • Indicator structure simplification (STIX #376)
      • Indicator_Type vocab (STIX #243)
      • Ability to assert that an indicator is a false positive (STIX #307)