-
Notifications
You must be signed in to change notification settings - Fork 7
Active Issue: IDable Construct Properties
sbarnum edited this page Feb 2, 2016
·
23 revisions
There is general agreement that top-level objects across CTI (STIX and CybOX) should extend from a common base class (have a common set of properties). This was agreed to at the face to face and has not been challenged. Discussion still remains to reach consensus on the common set of properties that should be on this common base class and what they should be named.
| Property Name | Type | Description |
|---|---|---|
| id (required) | IDFormat | A globally unique identifier for this object |
| type (required) | String | The type of construct being represented. This is a fixed value for each top-level object, formatted as all lowercase with ‘-’ as a separator (e.g. attack-pattern). This is a serialization-based field and derives from the type of the construct in the model. |
| marking_refs (optional) | Array | The set of “Level 1” markings (see STIX specification) applied to this object. |
| structured_markings (optional) | Array | The set of “Level 2” markings (see STIX specification) applied to this object. |
| ----controlled_structures (required) | Array | A list of path selection statements (e.g. JSONPath), rooted at the top-level object that structured_markings is contained in, that the marking_refs apply to. |
| ----marking_refs (required) | Array | The list of markings that apply to the fields selected by controlled_structures. |
| external_ids (optional) | Array | A list of IDs from external contexts/systems |
| ----id (required) | IDFormat | The external ID itself |
| ----url (optional) | URL | A link to the construct in the external context/system. |
| Property Name | Type | Description | Consensus gap |
|---|---|---|---|
| created_at (required) | Timestamp | The time that the object with this ID was created | Specific name of property field |
| created_by_ref (optional) | String | The ID of the Identity Object that describes who created this Object. Please note this is not who produced the analysis of information referred to contained within the Object, but who actually created the Object itself. | Open question of whether this should be embedded here as an exception to the "one way of doing things" for relationships or if it should be captured as separate relationship |
| revision (optional - although required in some circumstances) | Integer | This field is ONLY used if the object is a revision of an original object. The original version of the object is not allowed to contain a revision field. | Open question that must be resolved by full discussion and consensus on the broader topic of Versioning |
| revoked (optional) | Boolean | This field identifies that all versions of the Object identified by the id field are ‘revoked’ and should be considered invalid. Only the producer of the information can revoke the object. The revoked field MUST only be used when a producer wishes to revoke some information they have shared previously. The revoked field MUST be accompanied by a revision field indicating this as the newest version. A revoked object cannot be ‘unprovoked’. | Open question that must be resolved by full discussion and consensus on the broader topic of Versioning |
| marking_definitions (optional) | Array | An array of 1 or more marking definitions. Each definition contains two fields used to apply markings (id and marking_type) and additional fields to define the marking itself. | Open question whether this property only exists on Package or on any IDable construct |
| ----id (required) | IDFormat | A globally unique identifier for this marking definition. | Open question whether this property only exists on Package or on any IDable construct |
| ----type (required) | data-marking | The type of construct this is. | Open question whether this property only exists on Package or on any IDable construct |
| ----marking_type (required) | String | The type of marking this represents. | Open question whether this property only exists on Package or on any IDable construct |
| ----(other fields to represent marking data) | Various | Used to represent the marking itself. | Open question whether this property only exists on Package or on any IDable construct |
| ----marking_refs (required) | Array | The list of markings that apply to the fields selected by controlled_structures. | |
| external_ids (optional) | Array | A list of IDs from external contexts/systems | The below sub-property is the only non-consensus item for external_ids |
| ----source_tool_ref (optional) | String | An embedded reference to a Tool Object identifyingier for the system that the external ID is defined in. | It is an open question exactly what this property needs to be able to refer to: organization? context? tool? |