[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [EXT] [cti-users] trying to understand the "Sighting" object
|
Forrest,
Thank you for the question. A Sighting object in STIX is just a relationship (edge in the graph). The reason we did not use the general purpose Relationship object is we wanted some operational efficiencies for transport. So the STIX Sighting relationship object has the ability to do the following:
1) Say the indicator is good or more specially "was seen" but without any context. Some organizations can not share other details other than "thumbs up" this indicator is good and I saw it.
2) Say the indicator was seen and here are the exact things I saw. Indicator -> Sighting -> Observed Data
3) Say the indicator was seen and this is where it was seen. Indicator -> Sighting -> Identity / Location
This means you can also say what was seen and where it was seen in a single payload. Thus multiple edges in a single JSON object. This is why the Sighting relationship object is "special".
One of the big problems is in the way we talk about Sighting. We talk about it as if it was a Domain Object. This is because it can sort of act like that in the use case #1 above, effectively a one-armed edge (an edge that is only connected on one side).
I would expect a system that consumes a STIX Sighting relationship object to decompose it to the various edges that it contains and represent them individually in their graph. We also need to remember that STIX is a transport serialization for sharing CTI.
Does this help? What other questions do you have ?
Thanks Bret
From: cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org> on behalf of Hare, Forrest B. <Forrest.B.Hare@saic.com>
Sent: Monday, September 10, 2018 9:27:15 AM To: cti-users@lists.oasis-open.org Subject: [EXT] [cti-users] trying to understand the "Sighting" object I apologize if this is an uninformed question, but why is “sighting” an SRO and not just a new instance of an “indicator” SDO?
If it is truly an SRO, what two SDOs does it link (which I understand an SRO to do)? The example provided in the Walk-through at https://oasis-open.github.io/cti-documentation/stix/walkthrough is a bit confusing to me because it represents “sighting” as a node and “sighting of” as an edge. This suggests there are two different objects, but the Object List at: https://oasis-open.github.io/cti-documentation/stix/intro
only lists “sighting” under the SRO section. “Relationship” is also listed there, but the graphic on the Walk Through page does not depict a “relationship” object, just the “indicates” edge. Hopefully, you can see where I am getting confused by trying to reconcile the diagram and terminology.
Thank you, Forrest
Forrest B. Hare, PhD Solutions Architect Cyberspace Operations Redefining Ingenuity ™
For Cyber Support Requests, please go to: https://saicito.service-now.com/kpc?id=kpc_cat_item&sys_id=3b4a1343139f7600f6f4b53a6144b01b
This communication (including any attachments) may contain information that is proprietary, confidential or exempt from disclosure. If you are not the intended recipient, please note that further dissemination, distribution, use or copying of this communication is strictly prohibited. Anyone who received this message in error should notify the sender immediately by telephone or by return email and delete it from his or her computer. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]