Re: [cti-cybox] CybOX Object Survey

The survey is now closed! We received 39 responses in total; many thanks to all who responded for their input. A few comments from my perspective below, along with the results for each Object (in descending order, based on number of responses).

It appears that the top Objects are those that are atomic in nature (e.g., Address) and/or are used in the sharing of Indicator data (along with having the potential for being useful in other use cases). This also corresponds with the large number of network-related Objects in the top percentile.
Objects commonly associated with malware artifacts (e.g., Mutex, Win Executable File Object, Win Event Log) had a fairly strong showing.
Objects with very few responses appear to trend towards being more esoteric system objects (e.g., Semaphore, Win Mailslot, Win Waitable Timer).

Also, it’s worth noting that this was meant to be a very informal survey, to give us some idea of which Objects are most commonly used by the broader CybOX community. Therefore, while these results will help us prioritize which Objects may get focused on initially for updates/tweaks/specifications/etc., they are not meant to directly drive larger decisions such as the deprecation of specific Objects.

Object	Count	% of Total Responses
Address Object	27	69.23
Domain Name Object	26	66.67
Email Message Object	24	61.54
File Object	24	61.54
URI Object	22	56.41
Hostname Object	19	48.72
Port Object	17	43.59
Network Connection Object	16	41.03
Process Object	15	38.46
Win Registry Key Object	15	38.46
DNS Record Object	12	30.77
HTTP Session Object	12	30.77
Win Executable File Object	11	28.21
X509 Certificate Object	11	28.21
Artifact Object	10	25.64
Network Subnet Object	10	25.64
Socket Address Object	10	25.64
System Object	10	25.64
User Account Object	10	25.64
Win File Object	10	25.64
Account Object	9	23.08
Mutex Object	9	23.08
PDF File Object	9	23.08
Win Process Object	9	23.08
Device Object	8	20.51
DNS Query Object	8	20.51
Network Packet Object	8	20.51
Unix File Object	8	20.51
Win Event Log Object	8	20.51
API Object	7	17.95
Image File Object	7	17.95
Link Object	7	17.95
Network Flow Object	7	17.95
Product Object	7	17.95
Whois Object	7	17.95
Win Event Object	7	17.95
Win Service Object	7	17.95
Win System Object	7	17.95
Win User Account Object	7	17.95
Network Socket Object	6	15.38
Unix Process Object	6	15.38
Disk Object	5	12.82
Unix User Account Object	5	12.82
Win Mutex Object	5	12.82
Custom Object	4	10.26
DNS Cache Object	4	10.26
Library Object	4	10.26
Memory Object	4	10.26
Network Route Object	4	10.26
URL History Object	4	10.26
User Session Object	4	10.26
Win Computer Account Object	4	10.26
Win Filemapping Object	4	10.26
Win Network Share Object	4	10.26
Win Task Object	4	10.26
Archive File Object	3	7.69
AS Object	3	7.69
SMS Message Object	3	7.69
Unix Volume Object	3	7.69
Win Driver Object	3	7.69
Win Handle Object	3	7.69
Win Hook Object	3	7.69
Win Prefetch Object	3	7.69
Win Thread Object	3	7.69
ARP Cache Object	2	5.13
Code Object	2	5.13
Linux Package Object	2	5.13
Network Route Entry Object	2	5.13
Pipe Object	2	5.13
Unix Network Route Entry Object	2	5.13
Win Kernel Hook Object	2	5.13
Win Network Route Entry Object	2	5.13
Win Pipe Object	2	5.13
Win Volume Object	2	5.13
Semaphore Object	1	2.56
Unix Pipe Object	1	2.56
Volume Object	1	2.56
Win Critical Section Object	1	2.56
Win Kernel Object	1	2.56
Win Memory Page Region Object	1	2.56
Win Semaphore Object	1	2.56
Win System Restore Object	1	2.56
Disk Partition Object	0	0.00
GUI Dialogbox Object	0	0.00
GUI Object	0	0.00
GUI Window Object	0	0.00
Win Mailslot Object	0	0.00
Win Waitable Timer Object	0	0.00

Regards,

Ivan

cti-cybox message