Re: [EXT] Re: [cti] Sightings of Observables with Descriptions

[Rich Piazza <rpiazza@mitre.org>]

Hi Jeff,

 

Perhaps you could give a few more details about your "weirdness".

 

• Was this a new type of SCO, or one of the ones from the spec â but you just wanted to represent more information?
• I assume âdescriptions descriptionsâ is a typo, and not something I donât understand?
• As Jane says â why not just use an extension?
• If either adding a new property or a whole new SCO â does the property name have to be âdescriptionâ?
• The idea behind a sighting isnât that you observed an SCO (thatâs what Observed Data is for),   Itâs that you are making an inference that you have âsightedâ

a more abstract CTI object, usually an indicator, but a campaign or threat actor, for instance.

 

                Rich

 

 

--

Rich Piazza

Lead Cyber Security Engineer

The MITRE Corporation

781-271-3760

 

 

 

ïOn 3/5/21, 10:31 AM, "cti@lists.oasis-open.org on behalf of JG" <cti@lists.oasis-open.org on behalf of jg@ctin.us> wrote:

 

    Jeffrey:

 

    Did you see the Hybrid Extension Example on Page 206 of the STIX2.1 CS02

    version?  It sounds like something like this might be a good way to

    shorten the chain that you describe here.

 

    Jane Ginn

 

 

    On 3/1/2021 12:26 PM, Mates, Jeffrey CIV DC3/TSD wrote:

    > I ran into a bit of weirdness when modelling some data I received in STIX 2.1.

    > In this case it was with sensor data that had descriptions descriptions, and

    > from what I can see the only way to get a description of these is to:

    >

    > 1. Create the SCOs

    > 2. Make observations of the SCOs

    > 3. Make a sighting of the observations of the SCOs with a description

    >

    > I suspect it is now too late to do this, but it could be useful if Observed

    > Data objects include a description property or if Sighting could be a sighting

    > on an SCO directly in order to shorten this chain.  If others have run into

    > this issue I'm curious how you worked through it.

    >

    > //SIGNED//

    >

    > Jeffrey Mates, Civ DC3/TSD

    > Computer Scientist

    > Technical Solutions Development

    > jeffrey.mates@dc3.mil

    > 410-694-4335

    >

    --

    *****************************

    Jane Ginn, MSIA, MRP

    Secretary, OASIS CTI TC

    Sponsor, TAC TC

    Sponsor, BP TC

    jg@ctin.us

    001 (928) 399-0509

    *****************************

 

 

    ---------------------------------------------------------------------

    To unsubscribe from this mail list, you must leave the OASIS TC that

    generates this mail.  Follow this link to all your TCs in OASIS at:

    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php