I'd like to add my voice to this as I agree it is a good idea. I believe this will also help clarify a subtle confusion that people often have - Observable instances vs Observable patterns. If we could mandate that sightings can only use Observables as instances (describing what has been seen), then we can say that Indicators must only use Observable patterns. This can then help us mandate that difference, making implementation a whole lot easier.
Cheers
Terry MacDonald | STIX, TAXII, CybOX Consultant
Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.
On 28 July 2015 at 00:51, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
Well said, and I agree. This also really gets to the heart of some of the problems with what an Indicator actually is, versus, what people think it is. I think when people are referring to an indicator, what they really mean, is the CybOX Observable.If we can get Sightings pulled out of the indicator and made to be small, light-weight object that can be sent by itself, then this could be really powerful. This coupled with the relationship object, could enable a whole slew of new vendor products to emerge.Thanks,BretBret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTOBlue Coat SystemsPGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."On Jul 27, 2015, at 05:35, Aharon Chernin <achernin@soltra.com> wrote:Agree, I would like to see this in STIX 2.0.
It just doesn't make sense to have the sighting only available to us at the indicator level. Since when do you see someone else's assertion?
Example indicator: My brother is evil (<-- the assertion) because he keeps hitting me in the face (<-- the fact). Watch for people who hit siblings in the face.
* If a third party is watching for this, would they see evil or would they see face hitting? They would see face hitting (fact) and they could optionally make their own assertion of evilness (indicator).
** Maybe the brother is batting a wasp off the other person's face, who knows.
Indicator sightings also require us to issue a STIX major revision for an indicator, just to issue a sighting. As I have predicted before, in some cases sharing communities could be sharing millions of "sightings" indicators and only thousands of "real" indicators. Which just seems odd to me.
By using a sightings object, we can quickly create a small reference to an object that has been sighted (most likely an observable). But, other objects could be referenced as well.
Aharon Chernin
CTO
SOLTRA | An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
813.470.2173 | achernin@soltra.com
www.soltra.com
________________________________________
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jordan, Bret <bret.jordan@bluecoat.com>
Sent: Friday, July 24, 2015 5:55 PM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Proposal - Top Level Sighting Object
Well since this list is completely quite, time to get back to work.
I would like to see a top level Sighting Object that can be sent with only references to what it is sighting. This needs to be very light weight.
Bret
Sent from my Commodore 64
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php