-
Notifications
You must be signed in to change notification settings - Fork 7
STIX 2.0 Proposal16 : Refactor Report Object (#385)
sbarnum edited this page Dec 23, 2015
·
1 revision
This issue presumes that:
- Issue #148 will result in all IDable constructs being derived from a common base class
- Issue #201 will result in prohibition of any IDable construct content being embedded within other IDable construct content except for Package
- Issue #291 will result in all relationships between IDable constructs being defined using separate relationship-based constructs rather than within the related IDable constructs themselves
Given all of the above, the basic structure of the Report object as it exists in STIX 1.2.1 should likely change significantly.
The purpose of the Report object is to convey some context to some set of STIX content. In STIX 1.2.1, the Report object could be thought of as a file folder that specified some shared context (like a cover page to the folder) and then specified inline or referenced the set of content that the context applies to.
Given the above likely issue resolutions for STIX 2.0 the following will be true:
- it will no longer be possible to specify the content embedded within the Report object itself references to STIX content (which in reality are simply relationships between the Report and the content) will be specified using separate relationship-based constructs
- the relationship-based constructs will very likely be IDable constructs themselves so the relationships to the content relevant for the Report will be specified external to the Report construct itself.
- This leaves the Report construct much more like just the report cover page rather than a container like a folder. This cover page (Report construct) would still convey context like title & description (likely inherited from the IDable construct base class) and intent (likely the only remaining native property of the Report class.
Report becomes more of a report cover page for asserting context.
Actions:
- make Report an extension from the Assertion class making it an IDable construct with the ability to specify Confidence in the context being asserted by the Report
- remove all duplicate properties from Report that it gets from base IDable construct class
- this means Report Header reduces down to only Intent which can be flattened out to a property directly of the Report class
- remove all of the content list aggregators (e.g. Indicators) from Report class
- Reports will be conveyed by specifying a Report object to capture the report context and then a set of externally defined relationship objects asserting a "Report Contains" relationship from the Report to the relevant content
New benefits:
- Can now specify Confidence associated with the Report
- Can now characterize the nature of relationship between the Report and each piece of associated content as well as assert Confidence on each asserted relationship
Example #1: simple Report with Source and containing a TTP, an Indicator and a Campaign
Example #1:
{
"id": "example:rep-84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
"type": "report",
"timestamp": {
"value": "2015-07-28T00:00:00.000000+00:00",
"timestamp_precision": "day"
},
"title": "The Black Vine Cyberespionage Group",
"description": "...",
"intent": [
{
"value": "Threat Report",
"vocab": "report-intent-vocab-1.0"
}
],
"confidence": {
"value": {
"value": "High",
"vocab": "high-medium-low-vocab-1.0"
}
}
}
{
"id": "example:src-a463ffb3-1bd9-4d94-b02d-74e4f1658283",
"type": "source",
"timestamp": {"value": "2015-12-21T19:59:11.000000+00:00"},
"name": "Symantec",
"role": {
"value": "Initial Author",
"vocab": "information-source-role-vocab-1.0"
},
"references": ["http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf"]
}
{
"id": "example:rel-a05d8c6a-ccea-4a0a-a8e0-68dfe85fbfa9",
"type": "contributing-source",
"timestamp": {"value": "2015-12-21T19:59:14.000000+00:00"},
"from": "example:rep-84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
"to": "example:src-a463ffb3-1bd9-4d94-b02d-74e4f1658283",
"relationship_nature": {"value": "Contributing Source"}
}
{
"id": "example:rel-f82356ae-fe6c-437c-9c24-6b64314ae68a",
"type": "related-ttp",
"timestamp": {"value": "2015-12-21T19:59:17.000000+00:00"},
"from": "example:rep-84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
"to": [
"example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
],
"relationship_nature": { "value": "Report Contains" }
}
{
"id": "example:rel-f82356ae-fe6c-437c-9c24-6b64314ae68a",
"type": "related-indicator",
"timestamp": {"value": "2015-12-21T19:59:17.000000+00:00"},
"from": "example:rep-84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
"to": [
"example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
],
"relationship_nature": { "value": "Report Contains" }
}
{
"id": "example:rel-72f666b6-f1db-4b2c-82e3-71ab49a84be1",
"type": "related-campaign",
"timestamp": {"value": "2015-12-21T19:59:17.000000+00:00"},
"from": "example:rep-84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
"to": [
"example:cam-83422c77-904c-4dc1-aff5-5c38f3a2c55c",
],
"relationship_nature": { "value": "Report Contains" }
}