Is a Self-Referential "created_by_ref" valid for an Identity??

[brettforbes]

Hi,

Going through the certification tests for Stix 2.1, and it is clear that the system that produced the data was not Stix compliant.

Nevertheless, it produced many identity objects with self-referential "created_by_ref" fields, which has resulted in this issue being raised.

In our view a self-referential "created_by_ref" makes no sense in either a semantic context or a graph context, as one is effectively saying I am Brett, and Brett wrote this

i do not believe the standard has an opinion on self-referential "created_by_ref", and if one i using JSON databases this issue may easily slip through the cracks. We submit that prohibition of self-referential links for the purposes of asserting both identity and created by is a good idea. We plan to automatically delete these links in our parser (an extension of the Stix2 parser to suit ATT&CK and CACAO)

An example is as follows:

{
    "type": "identity",
    "id": "identity--826d4837-a92b-44a3-91c9-107ec7982c1d",
    "spec_version": "2.1",
    "identity_class": "organization",
    "name": "XYZA Corp, Inc.",
    "created": "2017-01-17T11:11:13.000Z",
    "modified": "2017-01-17T11:11:13.000Z",
    “created_by_ref’: "identity--826d4837-a92b-44a3-91c9-107ec7982c1d"
},

thanks

[priamai]

It surely makes no sense to me.

[rpiazza]

Actually, there is some support in the community for using a self-referential Identity to represent identity objects that are the "producers" of STIX content. Then you would be able to distinguish an Identity that represents cyber security information - like a victim, or the identity of a threat actor, as opposed to metadata about an object creator.

Something to add to the next version of the Best Practices Guide :-)