In the current approach (consensus at the DC3 F2F), sighting
is essentially just a special relationship between observation
and indicator
(or, other object types that can be sighted). Thus, it doesn't have many data fields itself other than those just to link things between observations.
- Has a sighting object and an observation object: Kind of a pro because people talk about these things, kind of a con because other people get confused by the distinction
- count/start/end only on observation, so you don't have to deal with it in two places, or figure out how to handle inconsistencies
- Requires 2 objects to report a sighting with a count, start, or end time
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"where_sighted_ref": "identity--1"
}
]
}
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"observation_refs": ["observation--1"],
"where_sighted_ref": "identity--1"
}
],
"observations": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"count": 154,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-02T00:00:00Z"
}
]
}
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"observation_refs": ["observation--1"],
"where_sighted_ref": "identity--1"
}
],
"observations": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"count": 154,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-02T00:00:00Z",
"cybox": {
"objects": [
{
"type": "file-object",
"name": "malware.exe"
}
]
}
}
]
}
{
"type": "bundle",
"id": "bundle--1",
"observations": [
{
"type": "observations",
"id": "observations--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"count": 154,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-02T00:00:00Z",
"cybox": {
"objects": [
{
"type": "file-object",
"name": "malware.exe"
}
]
}
}
]
}
In this modified approach, adding count
, start
, and end
to sighting
allows us to avoid requiring an observation
to report a sighting with a count.
- Has a sighting object and an observation object: Kind of a pro because people talk about these things, kind of a con because other people get confused by the distinction
- count/start/end on both sighting and observation, so you need to figure out how to handle those two sets of times/counts when used in conjunction
- Requires only one object to report sightings without CybOX
- Allows us to require CybOX on Observation (because you would never need to use observation without CybOX)
- Need to decide whether to require count, start, and end on sighting (or, if absent, what is the meaning? Is count 1, or is count unspecified?)
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"where_sighted_ref": "identity--1"
}
]
}
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"count": 154,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-02T00:00:00Z",
"where_sighted_ref": "identity--1"
}
]
}
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"observation_refs": ["observation--1"],
"where_sighted_ref": "identity--1",
"count": 154,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-02T00:00:00Z"
}
],
"observations": [
{
"type": "observations",
"id": "observations--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"count": 154,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-02T00:00:00Z",
"cybox": {
"objects": [
{
"type": "file-object",
"name": "malware.exe"
}
]
}
}
]
}
{
"type": "bundle",
"id": "bundle--1",
"observations": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"count": 154,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-02T00:00:00Z",
"cybox": {
"objects": [
{
"type": "file-object",
"name": "malware.exe"
}
]
}
}
]
}
By merging the sighting fields with the observation fields, we can resolve the count/start/end inconsistencies and the confusion between the observation/sighting distinction. OTOH, Observation probably couldn't require CybOX (to report sightings without what exactly you saw).
This is roughly similar to #1 in that the where_sighted_ref
is just a relationship, except instead of a special relationship called sighting
it's just an embedded relationship.
- Has only a single object: kind of a con because some people talk about them as different things, kind of a pro because we minimize confusion other people have about the difference.
- count/start/end on one object, so no inconsistencies there
- Requires only 1 object for any particular use case
- Adding a new sighting_of_ref impossible for 3rd party, requires an update for first party
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"where_sighted_ref": "identity--1"
}
]
}
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"count": 154,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-02T00:00:00Z",
"where_sighted_ref": "identity--1"
}
]
}
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"where_sighted_ref": "identity--1",
"cybox": {
"objects": [
{
"type": "file-object",
"name": "malware.exe"
}
]
}
}
]
}
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"count": 154,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-02T00:00:00Z",
"cybox": {
"objects": [
{
"type": "file-object",
"name": "malware.exe"
}
]
}
}
]
}
In this modified approach, moving count
(and adding start
and end
) to sighting optimizes for simplicity in that use case but precludes having it on observation
. The start
and end
times would remain on observation
to capture when that single observation was seen.
- Has a sighting object and an observation object: Kind of a pro because people talk about these things, kind of a con because other people get confused by the distinction
- count/start/end only on sighting, so no complexities there
- Requires only one object to report sightings without CybOX
- Allows us to require CybOX on Observation (because you would never need to use observation without CybOX)
- Precludes reporting observations with a count
- Has some weird semantics when you say you saw a particular observation with a particular time but 154 times
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"where_sighted_ref": "identity--1"
}
]
}
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"count": 154,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-02T00:00:00Z",
"where_sighted_ref": "identity--1"
}
]
}
{
"type": "bundle",
"id": "bundle--1",
"sightings": [
{
"type": "sighting",
"id": "sighting--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"sighting_of_ref": "indicator--1",
"observation_refs": ["observation--1"],
"where_sighted_ref": "identity--1",
"count": 154,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-02T00:00:00Z"
}
],
"observations": [
{
"type": "observations",
"id": "observations--1",
"created": "2016-07-02T00:00:00Z",
"modified": "2016-07-02T00:00:00Z",
"version": 1,
"start": "2016-07-01T00:00:00Z",
"end": "2016-07-01T00:00:01Z",
"cybox": {
"objects": [
{
"type": "file-object",
"name": "malware.exe"
}
]
}
}
]
}
Impossible, would require just creating multiple observations.