Open ejratl opened 4 years ago
jordan2175
commented
4 years ago Talked about this on the 2020-02-18 working call. We did an up/down vote and 3 people were against and 1 person was for. As chair I did not vote, but would have voted yes. About 10 people abstained. The recommendation is to push to a later release or to have the issue sent to the email list to see if there is broader TC support.
allant0
commented
3 years ago This is a common relationship that is important analysis and behavioral detections. So I would agree we should do it but if this is a material change (I think it is) then we should defer to a future release or extension. But +1 on doing it.
srrelitz2
commented
2 weeks ago How do we annouce overall practice for relationship definitions
We would like to capture additional relationship information between Windows Registry Keys and process SCOs. There is precedence for SCO relationships in the Domain object. For the file object, the proposal is as follows: 6.7.2 Relationships These are the relationships explicitly defined between the Windows Registry Key object and other STIX Objects. The table identifies the relationships that can be made from this object type to another object type by way of the Relationship object.
Example { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--9d60798d-4e3e-5fe4-af8a-0e4986f0f90b", "key": "HKEY_LOCAL_MACHINE\System\Foo\Bar" }, { "type": "process", "spec_version": "2.1", "id": "process--f52a906a-0dfc-40bd-92f1-e7778ead38a9", "pid": 1221, "command_line": "winword.exe", "image_ref": "file--e04f22d1-be2c-59de-add8-10f61d15fe20" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--57b56a43-b8b0-4cab-9dbe-34e3e1faed9e", "relationship_type": "renamed-by", "source_ref": "windows-registry-key--9d60798d-4e3e-5fe4-af8a-0e4986f0f90b", "target_ref": "process--f52a906a-0dfc-40bd-92f1-e7778ead38a9", }