Update each SDO doc to include Stix v2.1 Examples, if there weren't any #32
Conversation
There was a problem hiding this comment.
X-oca-asset
This can be an SCO and we will accept changing it to one, that should remove a few of the elements
On line 14: “spec (optional)” needs to be “spec_version (required)”
Line 16: modified (optional) should be modified (required)
X-oca-behavior
spec_version should be required, not optional
Modified should be required, not optional
X-oca-detection
spec_version should be required, not optional
Modified should be required, not optional
X-oca-detector
spec_version should be required, not optional
Modified should be required, not optional
X-oca-geo
spec_version should be required, not optional
Modified should be required, not optional
X-oca-playbook
spec_version should be required, not optional
Modified should be required, not optional
All fixed and pushed as an update. Thanks for the comments, happy to keep refining, cheers |
|
The PR looks good to me. Thanks much for your update and added examples @brettforbes ! |
2.x/SCO/x-oca-asset.md
Outdated
| In SIEM terminology which collects events from many systems - it is used to describe where the events took place. | ||
| It is referenced in the [`x-oca-event`](./x-oca-event.md) object. | ||
|
|
||
| While `x-oca-asset` specifies the host on which the associated event occurred, it may provide extenstions to describe addtional entities of tne runtime environment. In a cloud environment the event may occur within a container that is running or a partcular pod on the host. `x-oca-asset` uses a separate extension for each addtional runtime entity. Please note that as per the STIX [2.0](http://docs.oasis-open.org/cti/stix/v2.0/cs01/part3-cyber-observable-core/stix-v2.0-cs01-part3-cyber-observable-core.html#_Toc496715388)and [2.1](https://docs.oasis-open.org/cti/stix/v2.1/csprd01/stix-v2.1-csprd01.html#_Toc16070830), COOs/SCOs can have any number of extenstions. |
There was a problem hiding this comment.
"tne runtime environment" should be "the runtime environment", assuming this is a typo.
There was a problem hiding this comment.
Fixed, I didn't actually write this stuff, but its great for you to point it out at this time, as it is easy for me to correct it.
Thanks a heap
2.x/SCO/x-oca-asset.md
Outdated
| | **spec_version** (optional) | `string` | The value of this property MUST be 2.1 for STIX Objects defined according to this specification. | | ||
| | **extensions** | `dictionary` | Specifies any extensions of the object, as a dictionary. | | ||
| | **device_id** | `string` | The ID of the device. | | ||
| | **hostname** (required)|`string`|name of this host| |
There was a problem hiding this comment.
It's minor, but should ensure that the descriptions are either all capitalized or none are.
There was a problem hiding this comment.
Thanks for pointing that out, there should be a preposition as well, since thats how most descriptions start. So i made it
"The name of the host"
|
|
||
| The container asset extension represents a container. | ||
|
|
||
| | property name | type | description | |
There was a problem hiding this comment.
Probably falls out of scope for what you are trying to do, but these descriptions aren't great. They are obvious (except for container type which is somewhat vague) so not a big deal or anything.
There was a problem hiding this comment.
Wow, great pick.
This "type" field is a clear example of the need for controlled language, and hence should actually be either an Enum (fixed set of strings, cannot be added to) or a Vocab (set of strings, can be added to).
Can you give us a list of strings/descriptions for this type field @subbyte , and your choice of Enum versus Vocab??
It will be easy to add a small table to the markdown doc, and create support in our OCA Vocab repo
2.x/SCO/x-oca-asset.md
Outdated
| "type": "x-oca-asset", | ||
| "ip_refs": ["0", "2"], | ||
| "hostname": "example host", | ||
| "host_id": "123A", |
There was a problem hiding this comment.
Is this just git being weird or do these have odd tab spacing?
There was a problem hiding this comment.
Aah yes, in your examples, which i copied originally, and then edited, there was a lot of hand-created different types of spacing. We should never use spacing in a json, as it will visualise differently on different formats (IDE vs web).
I had to feed all of my stuff through online space eliminators for json files. Then you use the auto json layout of your IDE, then update it that way. But unfortunately i did not fix any spacing in the original v2.0 examples, so they are still there.
I manually removed these spaces you indicate, which should fix the problem's you have highlighted
2.x/SCO/x-oca-asset.md
Outdated
| "image_name": "us.icr.io/...", | ||
| "container_type": "crio" | ||
| }, | ||
| "x-oca-pod-ext": { |
|
Hi Guys, Thanks very much for shepherding me through my first PR to a public repo, I appreciate it. I'm actually more of a modeller in different disciplines than an actual computer scientist, so i appreciate working with the big dogs. As you know our aim is to blend your OCA extensions, with the existing Stix Incident Management extensions and Identity Contact extensions we currently support. I think its a perfect match, the Stix Incident Management extensions are focused on providing a single layer, at the Sightings Level, where, provenance for each of the 8 different types of evidence can be gathered, thus evidence can be weighted and the decision process semi-automated (e.g. Assessment of Competing Hypotheses), all in Stix. Stix 21 Evidence Model v8.pptx Behaviours are just a 9th type of evidence, with a well -defined provenance and much higher weighting. They are the next step up from a basic Sighting Analytic, or OCSF Alert in terms of signal quality and weighting, as they are based on a series of deductions made on telemetry, either a prior-discovered pattern or perhaps as the result of a Hunt. Behaviours are less likely to be a false positive and should be able to generate a call to a CACAO server, to run a CACAO workflow from the library (easy if they are using our OS Threat app). On the other hand, I can't help but feel that the specificity of the Behaviour SDO, and some of the other great ones (x-oca-detection, x-oca-detector, x-coa-playbook etc.) is diminished by being associated with objects with clearly ambiguous meanings which are purely derived from fixed rules and telemetry. They are observables and should be taken in context:
I found these objects inside the examples I edited, inside an Observed Data object, so they are clearly telemetry. In our view:
You guys are the first to innovate by integrating telemetry into Stix (i.e. Stix-Shifter, Kestrel, Behaviours), and thus you guys are the cutting edge for integration of Stix with OCSF, 3rd-party detection tools and Kestrel hunts. To finish this PR, we probably should build the vocab or enum object for Container "Type" property. Can you comment please @subbyte? Respectfully, once this is complete, my next PR will shift those objects into the SCO category, deleting the Sighting objects in the examples, and placing the above objects in the Observed Data "observed_data_refs" fields in the examples, and probably avoiding the need for a whole load of code for you guys. If this next PR is accepted, all that Dev will have to do is the relatively straightforward change of the Observed Data object referencing from v2.0 to v2.1. Thoughts? |
Altered some of the docs to include new Stix 2.1 examples, based on:
In short, through some relatively minor changes, we upgrade each document page to include a Stix 2.1 example