Skip to content

Indicator => Campaign reference appears to be broken #152

New issue
New issue
Closed
Closed
Indicator => Campaign reference appears to be broken#152
Assignees
rpiazza
Labels
Breaks Backwards CompatibilityBug
Milestone
 
Version 1.1.1
@johnwunder

Description

@johnwunder
johnwunder
opened on Apr 14, 2014

In STIX 1.1, the Indicator => Campaign reference mechanism uses an incorrect type and is therefore broken (ish).

<xs:complexType name="RelatedCampaignReferencesType">
    <xs:complexContent>
        <xs:extension base="stixCommon:GenericRelationshipListType">
            <xs:sequence>
                <xs:element name="Related_Campaign" type="stixCommon:CampaignReferenceType" maxOccurs="unbounded">
                    <xs:annotation>
                        <xs:documentation>The Related_Campaign field captures a single relationship to a related campaign.</xs:documentation>
                    </xs:annotation>
                </xs:element>
            </xs:sequence>
        </xs:extension>
    </xs:complexContent>        
</xs:complexType>

That element (Related_Campaign) should point to a relationship type that extends from stixCommon:GenericRelationshipType in order to add Confidence, Relationship, Information_Source, etc. Instead it points directly to a Campaign Reference Type:

<xs:complexType name="CampaignReferenceType">
    <xs:annotation>
        <xs:documentation>Characterizes a reference to a campaign.</xs:documentation>
    </xs:annotation>
    <xs:sequence>
        <xs:element name="Names" type="stixCommon:NamesType" minOccurs="0">
            <xs:annotation>
                <xs:documentation>Specifies one or more campaign names for a cyber threat campaign defined elsewhere.</xs:documentation>
            </xs:annotation>
        </xs:element>
    </xs:sequence>
    <xs:attribute name="idref" type="xs:QName">
        <xs:annotation>
            <xs:documentation>Specifies a globally unique identifier for a cyber threat campaign defined elsewhere.</xs:documentation>
        </xs:annotation>
    </xs:attribute>
    <xs:attribute name="timestamp" type="xs:dateTime">
        <xs:annotation>
            <xs:documentation>In conjunction with the idref, this field may be used to reference a specific version of a campaign defined elsewhere.</xs:documentation>
            <xs:documentation>This field must only be used in conjunction with the idref field.</xs:documentation>
        </xs:annotation>
    </xs:attribute>
</xs:complexType>

This means that Indicator => Campaign relationships are unable to express those additional fields (information source, relationship, confidence). The reverse direction is still correct.

In instance content, currently it would look like this:

<Related_Campaign>
    <Names>
        <Name>Campaign Alpha</Name>
    </Names>
</Related_Campaign>

It should look more like this:

<Related_Campaign>
    <Confidence>
        <!-- snip -->
    </Confidence>
    <Campaign>
        <Names>
            <Name>Campaign Alpha</Name>
        </Names>
    </Campaign>
</Related_Campaign>

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

Breaks Backwards CompatibilityBug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions