STIX CS02 Feedback: Sighting first_seen and last_seen

oasis-tcs / cti-stix2

OASIS CTI TC: Provides issue tracking and wiki pages for the STIX 2.x Work Products

https://github.com/oasis-tcs/cti-stix2

Other

24 stars 9 forks source link

STIX CS02 Feedback: Sighting first_seen and last_seen #247

Closed marlontaylor closed 3 years ago

marlontaylor commented 3 years ago

Recommendation: If first_seen and last_seen are both defined, then last_seen MUST NOT be earlier than the first_seen value.

This requirement prevents the ability to provide both first_seen and last_seen in a Sighting that occurred once where the first_seen and last_seen are the same. There is a desire to provide first_seen and last_seen even when they match and the current statement seems to inadvertently prevent this use-case.

jordan2175 commented 3 years ago

New Text: If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property.

Adjusted text in Campaign. Infrastructure was right. Adjusted Intrusion Set. Adjusted Malware. Adjusted Threat Actor. Adjusted Sighting. Changes made in Master Document. While this is a normative statement, this is a bug and does not really change the meaning of the normative statement. It just makes it more clear.