[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Recap from Working Call
|
All,
We made a lot of progress on today's working call and found a few more areas where we need further discussion.
Cyber Observable Object IDs We were able to process all of the suggestions for the SCO IDs that would be used for Deterministic IDs. During this discussion, however, we discovered a problem with how we used the old "object_ref" definition and how we want to use the new "deterministic_id" definition.
Simply changing this without careful attention to the text, would result in breaking changes that do not follow our desire to simple deprecate versus break. One proposal on the call was to simply add another property for each one of these properties. However, after reviewing that as editors, this would cause a property explosion and could cause a lot of problems for patterning. The Editors will take an action item to put together some proposed text that should help with this and will plan on bringing this proposal to the TC for the next working call.
Observed Data We started talking about the Observed Data changes today. It was brought up that adding a new property to capture the refs for objects needs to allow SROs as well as SCOs. This is not new functionality as one person suggested, since the existing Cyber Observable Container has both objects and their relationships. If you have comments of suggestions, please add them to the document BEFORE the next working call.
Versioning a Cyber Observable One of the TC members has a use case where they need to be able to version a cyber observable (SCO). But given the current design of having nearly all of the properties be optional for Cyber Observables, means you can easily get into problems when you try to version them. This is probably going to cause us to have to review that requirement and the common properties that are on all SCOs. Yes, this is a loaded topic and some feel very strongly about it. So lets all try to work together to find a solution that works and is understandable by the rest-of-the-world.
Vocabularies Right now the direction the editors are going to take with Vocabularies is to move all vocabularies to Part 1 and put text language every where they are used that tells a reader where to find them in Part 1. Then in Part 1, in the actual vocab definition, we will do the reverse and say which objects use that vocabulary. This should help people find all vocabs. If you have any concerns with this change, as we discussed on the call today, please bring them up on the email list or over slack.
GitHub Issues The editors are going to start triaging and addressing a lot of the basic GitHub Issues. The plan is to send information to the list and allow people 1 week to comment on the issues. If you are in objection to a change, it is imperative that you either speak up on the list or note your concern in the GitHub Issue itself.
Actions Items
1) Review Observed Data and make suggestions in the document 2) Think carefully about how one would version a cyber observable 3) If you are interested in Infrastructure, please join the slack channel #infrastructure and watch for emails to the list on this topic. We are hoping that a mini-group will go off and come back to the TC with a more fleshed out proposal. 4) Do a detailed final review of Grouping, Malware, and Malware Analysis
Topics for Next Week A) Discuss Observed Data B) Discuss the object_ref IDs, Deterministic IDs, and normal IDs (Editors will put forth a text proposal for this) C) Discuss Cyber Observable Deprecation Changes
Thanks Bret
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]