[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] What exactly CybOX?
Jason Keirstead wrote this message on Mon, Apr 04, 2016 at 21:02 -0300: > I agree with this principal - the part I have a hard time wrapping my mind > around therefore is the purpose of the "observation" object, other than as > a generic container for CybOX... If you mean that Observation object in STIX, it will provide the WHEN (timestamp) and the WHERE (who sent it) parts of the five w's. Other stix objects will provide answers to the other questions... > data which could just as easily be in a > "pattern" property of any other already-existing object such as indicator > or sighting. Except that an indicator's pattern matches against Observations, and a Sighting requires either an indicator, or a pattern that the observation matches against, so none of those would be a valid place for an observation. > If we look at the observation object in TWIGS: > > https://docs.google.com/document/d/1P6k0uqbAYDRpYG5jjgYAKBDEc_iSG0-SGFaXgaPkqyg/edit > > All it has is a pattern and a timestamp. What is the purpose of this object Well, I'll note that you changed object to pattern, so it previously, before your modifications, it contained a Cybox Object (the WHAT), and the time stamp (the WHEN)... Anyways, an Observation should not be part of Cybox, but should be part of STIX, which we don't have yet... > really? Why would I use this vs. a STIX sighting. See above, a STIX sighting does not have an observation, or a place to put a CybOX object. -- John-Mark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]