cti-users message

Subject: RE: [cti-users] Sightings SRO: Do Observed_data_refs must be objects that occured within the Sightingâs first/last seen time range?

From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
To: Allan Thomson <athomson@lookingglasscyber.com>
Date: Thu, 25 Jul 2019 07:24:15 -0400

Agree 100% with all Allen's comments.

Another reason, is that you can sight any object in STIX, and the observed_data object is not always applicable. IE, I could be sighting an Identity object for a threat actor, and want to say I saw them active from Monday to Friday, and not have any observed_data attached to this.

-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security

"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."

- Thomas J. Watson

From: Allan Thomson <athomson@lookingglasscyber.com>
To: Stephen Russett <stephen@digitalstate.ca>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Date: 07/24/2019 08:06 PM
Subject: [EXTERNAL] Re: [cti-users] Sightings SRO: Do Observed_data_refs must be objects that occured within the Sightingâs first/last seen time range?
Sent by: <cti-users@lists.oasis-open.org>

First of, the primary reason why Sighting has first_seen and last_seen is to support the ability to share Sightings without including any observed data object references.

This is where a producer wishes to state that they saw an indicator and possibly how many times within the time window of the sighting but they do not wish or have the details of the observed data to share.

Therefore although this might seem duplicative for the time window properties initially, itâs not.

Secondly, the first_seen and last_seen of a sighting are optional. Therefore it is entirely compliant to have a sighting that connects an indicator (or any other sighting of pointer) and observed_data of that indicator where the time-window of the observed data is defined on the observed_data object itself but the sighting time window properties are not defined at all.

Finally, is it highly likely that both sighting and observed_data time window properties should align for many cases -> Yes.

Can you say that they definitely have to match in all circumstances -> No.

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

From: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org> on behalf of Stephen Russett <stephen@digitalstate.ca>
Date: Wednesday, July 24, 2019 at 12:26 PM
To: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: [cti-users] Sightings SRO: Do Observed_data_refs must be objects that occured within the Sightingâs first/last seen time range?

Following up on: https://github.com/oasis-tcs/cti-stix2/issues/159

A Sighting has a first_seen and last_seen time range.

The ObservedData objects that are applied in the Sighting's observed_data_refs also have first_observed and last_observed.

Are the Observed Data subject to the Sightings time frame?

Thanks

References:
- Sightings SRO: Do Observed_data_refs must be objects that occured within the Sightingâs first/last seen time range?
  - From: Stephen Russett <stephen@digitalstate.ca>
- Re: [cti-users] Sightings SRO: Do Observed_data_refs must be objects that occured within the Sightingâs first/last seen time range?
  - From: Allan Thomson <athomson@lookingglasscyber.com>