Re: [cti-stix] Some thoughts on Sightings and conversations to date (Par

The fourth sightings sub-topic I wanted to comment on is around the question of whether sightings should have IDs or not.

I think there have been some clear assertions (along with their rationale) from Jason and Bret that it does not make sense for sightings to have IDs but also some good clear arguments from John, Terry and others for why unique and persistent IDs are relevant for consumers to be able to reference, correlate and analyze diverse sightings from diverse sighters.

Again, putting on my expert hat rather than my co-chair hat, I wanted to offer some thoughts on this which are primarily just stating agreement with the arguments made by John, Terry and others.

I do believe that it is important for sightings to have IDs for many of the reasons already expressed on the list.
Specifically, I would also agree with Terry’s assertion that:
- "We need an ID solution that:
  - Includes the domain namespace in the ID so that recipients know where to ask for more information.
  - The ID stays the same over the lifetime of the object even if it is updated and the content changes.
  - Recognizes that IDs will be coming from many different companies and many different sources and that we need a way of easily understanding who produced the data."

On the sub-sub-topic ( :-) ) of Alternative_ID for Sightings,
- I think that Alternative_ID does make sense for Sightings. It would allow the capture and reference of things like alert IDs issued by particular detection tools. The sightings would still need a STIX ID for effective referencing within STIX content but the external ID would help support the potential for seeking out more detailed information where appropriate.

sean

cti-stix message