Add first_seen and last_seen to relationship #11
Comments
|
This was discussed on the working call on Sept 5, 2017. The agreed consensus for text was: start_time: This optional timestamp represents the earliest time at which the relationship between the objects exists. If the timestamp field #1 is a future timestamp, at the time of the updated field is defined, then this represents an estimate by the producer of the intelligence on the earliest time at which relationship will be asserted to be true. If not specified, then the earliest time at which the relationship between the objects exists is not defined. end_time: This optional timestamp represents the latest time at which the relationship between the objects exists. If the timestamp field #2 is a future timestamp, at the time of the updated field is defined, then this represents an estimate by the producer of the intelligence on the latest time at which relationship will be asserted to be true. If the timestamp field #2 is defined, then it MUST be later than the timestamp #1 value. If not specified, then the latest time at which the relationship between the objects exists is not defined. There were no voiced objections to this consensus, so once the editorial work is done on the spec, this issue can be closed. |
|
This has been changed in the spec, closing. |
jordan2175
added
Status: Closed Done
Target: STIX-2.1
and removed
Phase: 3-Final Review
labels
Allan has suggested adding
first_seenandlast_seenfields (both optional, presumably) to the relationship object. This would let you track, for example, the time period when amalwareobject wasused-byanintrusion-set.The text was updated successfully, but these errors were encountered: