Feedback on cases.json

[priamai]

Hello,
I had a look at the last version:
https://github.com/os-threat/Stix-ORM/blob/brett-attack/data/os-threat/cases.json

We should also add a STIX artifact list to the case type which is also reference from a task, typically analysts will upload files during an investigation some of them will be small (we use the payload_bin in that case) some of them will be big and we can use the url pointing to whether they are stored.

Notes object should be attached to a task and not floating inside the case, so maybe the ids would be in the Task reference objects?

We should also add an Opinion object in fact a list of Opinion objects that the analysts would attach to a case, in fact opinion objects is where we should store feedback about whether is a true positive or a false positive, or confidence estimates about impact for example.

The assigned list, I am thinking would it be better if every analyst e.g. a user of the platform is an Identity, so we just reference identity ids and not usernames?

Everything else looks good and is a good start.

[brettforbes]

Ok, so some good, some not so:

1. Good idea on identities, will change this to suit
2. Good idea on artifacts, but i will use files with external references, since we have already setup a local blob store, peer-to-peer on the ui
3. Good idea on the Opinion object, will add that to the case
4. Note sure on Notes. Clearly we want Notes on cases, plus i can see them being useful on tasks as well. The question is how to support both. Ideally we want all case assets connected at the top level to the case. But how? One option is to link the notes to both the case and the task, not sure how else to do it. Ideas?

[brettforbes]

oasis-open/cti-python-stix2#568