Hello,
The table of section "9.6 Comparison Expressions" might have a mistake. The last sentence of the description of the boolean operator "AND" should read:
"aÂandÂbÂMUSTÂboth evaluate to true on the same SCO"
instead of "aÂandÂbÂMUSTÂboth evaluate to true on the same Observation"
Indeed as mentioned in "9.5 Observation Expressions": "When matching an Observation against an Observation _expression_, all Comparison Expressions contained within the Observation _expression_ÂMUSTÂmatch against the same SCO", and "Observation" is defined as an Observed Data SDO in "9.1 Definitions".
Which leads me to a second remark: it is possible to put constraints on single SCOs (via Observation Expressions) and multiple observations (via Observation Operators) but not on multiple SCOs corresponding to the same observation if they can not be linked by existing properties.
As a consequence how can one match observations that associate a "user-account" to a "file" or a "user-account" to a "network-traffic" independantly of the relationship path?
Another example is two subnets that should never be seen together. One could write:
But then I missÂnetwork-traffic:src_ref.resolves_to_refs[*].valueÂand all its variants. Enumerating all the possible relationships seems cumbersome and error-prone.Â
An idea for a later version: wouldn't it be more simple to write something like:
Since they are in the same observation, one already know they are linked.
Best regards
--
David Bizeul
CTOÂ@ SEKOIA