Skip to content

Instantly share code, notes, and snippets.

@johnwunder

johnwunder/observation-and-sighting-options.md

Last active July 3, 2016 18:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save johnwunder/5605dc3d534267e0106058f6c1e1d42e to your computer and use it in GitHub Desktop.
Save johnwunder/5605dc3d534267e0106058f6c1e1d42e to your computer and use it in GitHub Desktop.
Download ZIP
Options to handle sightings and observations
Raw
observation-and-sighting-options.md

Sightings and Observations Options

Option 1: Current Approach (Sighting as special relationship)

In the current approach (consensus at the DC3 F2F), sighting is essentially just a special relationship between observation and indicator (or, other object types that can be sighted). Thus, it doesn't have many data fields itself other than those just to link things between observations.

Pros and Cons

  • Has a sighting object and an observation object: Kind of a pro because people talk about these things, kind of a con because other people get confused by the distinction
  • count/start/end only on observation, so you don't have to deal with it in two places, or figure out how to handle inconsistencies
  • Requires 2 objects to report a sighting with a count, start, or end time

Examples

UC1: Simple +1

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "where_sighted_ref": "identity--1"
    }
  ]
}

UC2: Sighting with counts

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "observation_refs": ["observation--1"],
      "where_sighted_ref": "identity--1"
    }
  ],
  "observations": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "count": 154,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-02T00:00:00Z"
    }
  ]
}

UC3: Sighting with count and CybOX

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "observation_refs": ["observation--1"],
      "where_sighted_ref": "identity--1"
    }
  ],
  "observations": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "count": 154,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-02T00:00:00Z",
      "cybox": {
        "objects": [
          {
            "type": "file-object",
            "name": "malware.exe"
          }
        ]
      }
    }
  ]
}

UC4: No sighting, observation with count

{
  "type": "bundle",
  "id": "bundle--1",
  "observations": [
    {
      "type": "observations",
      "id": "observations--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "count": 154,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-02T00:00:00Z",
      "cybox": {
        "objects": [
          {
            "type": "file-object",
            "name": "malware.exe"
          }
        ]
      }
    }
  ]
}

Option 2: Current Approach, Add Count, Start, End to Sightings

In this modified approach, adding count, start, and end to sighting allows us to avoid requiring an observation to report a sighting with a count.

Pros and Cons

  • Has a sighting object and an observation object: Kind of a pro because people talk about these things, kind of a con because other people get confused by the distinction
  • count/start/end on both sighting and observation, so you need to figure out how to handle those two sets of times/counts when used in conjunction
  • Requires only one object to report sightings without CybOX
  • Allows us to require CybOX on Observation (because you would never need to use observation without CybOX)
  • Need to decide whether to require count, start, and end on sighting (or, if absent, what is the meaning? Is count 1, or is count unspecified?)

Examples

UC1: Simple +1

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "where_sighted_ref": "identity--1"
    }
  ]
}

UC2: Sighting with counts

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "count": 154,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-02T00:00:00Z",
      "where_sighted_ref": "identity--1"
    }
  ]
}

UC3: Sighting with count and CybOX

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "observation_refs": ["observation--1"],
      "where_sighted_ref": "identity--1",
      "count": 154,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-02T00:00:00Z"
    }
  ],
  "observations": [
    {
      "type": "observations",
      "id": "observations--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "count": 154,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-02T00:00:00Z",
      "cybox": {
        "objects": [
          {
            "type": "file-object",
            "name": "malware.exe"
          }
        ]
      }
    }
  ]
}

UC4: No sighting, observation with count

{
  "type": "bundle",
  "id": "bundle--1",
  "observations": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "count": 154,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-02T00:00:00Z",
      "cybox": {
        "objects": [
          {
            "type": "file-object",
            "name": "malware.exe"
          }
        ]
      }
    }
  ]
}

Option 3: Add sighting fields to observation

By merging the sighting fields with the observation fields, we can resolve the count/start/end inconsistencies and the confusion between the observation/sighting distinction. OTOH, Observation probably couldn't require CybOX (to report sightings without what exactly you saw).

This is roughly similar to #1 in that the where_sighted_ref is just a relationship, except instead of a special relationship called sighting it's just an embedded relationship.

Pros and Cons

  • Has only a single object: kind of a con because some people talk about them as different things, kind of a pro because we minimize confusion other people have about the difference.
  • count/start/end on one object, so no inconsistencies there
  • Requires only 1 object for any particular use case
  • Adding a new sighting_of_ref impossible for 3rd party, requires an update for first party

Examples

UC1: Simple +1

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "where_sighted_ref": "identity--1"
    }
  ]
}

UC2: Sighting with counts

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "count": 154,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-02T00:00:00Z",
      "where_sighted_ref": "identity--1"
    }
  ]
}

UC3: Sighting with count and CybOX

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "where_sighted_ref": "identity--1",
      "cybox": {
        "objects": [
          {
            "type": "file-object",
            "name": "malware.exe"
          }
        ]
      }
    }
  ]
}

UC4: No sighting, observation with count

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "count": 154,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-02T00:00:00Z",
      "cybox": {
        "objects": [
          {
            "type": "file-object",
            "name": "malware.exe"
          }
        ]
      }
    }
  ]
}

Option 4: Move count/start/end to Sighting from Observation

In this modified approach, moving count (and adding start and end) to sighting optimizes for simplicity in that use case but precludes having it on observation. The start and end times would remain on observation to capture when that single observation was seen.

Pros and Cons

  • Has a sighting object and an observation object: Kind of a pro because people talk about these things, kind of a con because other people get confused by the distinction
  • count/start/end only on sighting, so no complexities there
  • Requires only one object to report sightings without CybOX
  • Allows us to require CybOX on Observation (because you would never need to use observation without CybOX)
  • Precludes reporting observations with a count
  • Has some weird semantics when you say you saw a particular observation with a particular time but 154 times

Examples

UC1: Simple +1

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "where_sighted_ref": "identity--1"
    }
  ]
}

UC2: Sighting with counts

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "count": 154,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-02T00:00:00Z",
      "where_sighted_ref": "identity--1"
    }
  ]
}

UC3: Sighting with count and CybOX

{
  "type": "bundle",
  "id": "bundle--1",
  "sightings": [
    {
      "type": "sighting",
      "id": "sighting--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "sighting_of_ref": "indicator--1",
      "observation_refs": ["observation--1"],
      "where_sighted_ref": "identity--1",
      "count": 154,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-02T00:00:00Z"
    }
  ],
  "observations": [
    {
      "type": "observations",
      "id": "observations--1",
      "created": "2016-07-02T00:00:00Z",
      "modified": "2016-07-02T00:00:00Z",
      "version": 1,
      "start": "2016-07-01T00:00:00Z",
      "end": "2016-07-01T00:00:01Z",
      "cybox": {
        "objects": [
          {
            "type": "file-object",
            "name": "malware.exe"
          }
        ]
      }
    }
  ]
}

UC4: No sighting, observation with count

Impossible, would require just creating multiple observations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment