Just debating with the group…. I think I could take Sean’s bullet points and turn them into Sighting object concepts.
Bullet point #1: A sightings object ref_id to an observable
Bullet point #2: A sightings object ref_id to an low confidence indicator. Isn’t a low confidence indicator when you assert that you are not that sure of your opinion? Ie. “may” be of interest.
Bullet point #3: A sightings object ref_id to an higher confidence indicator
While it doesn’t provide the exact “what I saw portion”, I would be happy to reduce complexity here.
Aharon
From: <
cti-stix@lists.oasis-open.org > on behalf of "Barnum, Sean D." <
sbarnum@mitre.org >
Date: Wednesday, November 4, 2015 at 1:53 PM
To: Terry MacDonald <
terry@soltra.com >, "
cti-stix@lists.oasis-open.org " <
cti-stix@lists.oasis-open.org >
Subject: [cti-stix] Re: Some thoughts on Sightings and conversations to date (Part #2): the semantics of observation, indicator, incident, sightings, etc
I saw something. Here is what I saw. I saw something that I think is of interest. Here is what I saw. I saw something that has been explicitly declared as of interest. Here is what I saw