Open nor3th opened 2 years ago
We discussed this on the STIX WG meeting today. SROs allow for someone who did not create the objects to assert a relationship between them. Embedded references allow for the object creator to assert a relationship that is a component part of the object.
Hey @ejratl
Thank you very much for your response. What's the use case for restricting somebody who didn't create the object from changing the created relationships? Shouldn't the software the analyst uses be responsible for read/write permissions and not the data structure standard itself? Also why do the creator and the consumer have then a different set of relationships they can use?
I did some further digging and it also seems to me that the nested references are required for the STIX indicator pattern? https://github.com/oasis-tcs/cti-stix2/issues/202
Thanks
Hey
I have a basic questions concerning nested references/properties and SROs. In my understanding, nested references (of type identifier) like the SDO Malware's
sample_refs
aims at referencing to files or artifacts, which are a sample of the given malware entity.A hypothetical SRO of type
sample
(File/Artifact - sample -> Malware) would have the same meaning (creating a directional n to 1 relationship).The example for the most confusing example of nested reference vs SRO is the Domain-Name's
resolves-to
property. An analyst can use either the nested referenceresolves_to_refs
as well as theresolves-to
SRO. Only with the SRO the analyst is able to set the first/last seen property values. https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_i2zf5h7vnrd9Hence my question, what is the point of having nested references AND SROs in the STIX 2.1 schema, if either of those approaches achieve the same result?