Re: [cti] CybOX Containers in STIX

["Wunder, John A." <jwunder@mitre.org>]

Well Observations are linked to Indicator via Sighting, which in effect was just a relationship between the indicator and the observation. That’s why we have the array of observation_refs.

We could always add count to Sighting as well, but then it would be included twice (on Sighting and on Observation). We would probably also need a start/end time on Sighting in that case to capture the timeframe in which the sightings were seen, which would add more duplication with Observation. The tradeoff seems to me to be whether we have fields that duplicate themselves in some cases (count, start, end on Sighting + Observation) or whether we require people include an observation sometimes just to capture count+start+end.

I’ll put together some examples over the next few days to help us decide.

John

On 6/30/16, 3:47 PM, "cti@lists.oasis-open.org on behalf of John-Mark Gurney" <cti@lists.oasis-open.org on behalf of jmg@newcontext.com> wrote:

Wunder, John A. wrote this message on Thu, Jun 30, 2016 at 13:13 +0000:
> RE: CybOX being optional…the thought was that you might want to say you saw something (e.g. an indicator) 150 times without providing detailed CybOX for what you had actually seen. It was mainly for the sighting use case vs. the observation w/o sighting use case.

Except that you can't/don't link an observation to an indicator...  If
we want to support sighting an indicator 150 times w/o the observation,
we should add a count field to sighting..

IMO, we should make cybox required for Observation.

-- 
John-Mark

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php