OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Proposal - Top Level Sighting Object

Agree, I would like to see this in STIX 2.0.

It just doesn't make sense to have the sighting only available to us at the indicator level. Since when do you see someone else's assertion?

Example indicator: My brother is evil (<-- the assertion) because he keeps hitting me in the face (<-- the fact). Watch for people who hit siblings in the face. 
* If a third party is watching for this, would they see evil or would they see face hitting? They would see face hitting (fact) and they could optionally make their own assertion of evilness (indicator).
** Maybe the brother is batting a wasp off the other person's face, who knows.

Indicator sightings also require us to issue a STIX major revision for an indicator, just to issue a sighting. As I have predicted before, in some cases sharing communities could be sharing millions of "sightings" indicators and only thousands of "real" indicators. Which just seems odd to me.

By using a sightings object, we can quickly create a small reference to an object that has been sighted (most likely an observable). But, other objects could be referenced as well.

Aharon Chernin
CTO
SOLTRA | An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
813.470.2173 | achernin@soltra.com
www.soltra.com

________________________________________
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jordan, Bret <bret.jordan@bluecoat.com>
Sent: Friday, July 24, 2015 5:55 PM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Proposal - Top Level Sighting Object

Well since this list is completely quite, time to get back to work.

I would like to see a top level Sighting Object that can be sent with only references to what it is sighting.  This needs to be very light weight.

Bret

Sent from my Commodore 64
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]