Hi Gary, "We wouldn't want to tie Observations directly back to an Intrusion Set or Campaign, we want to tie back an Incident. If I have 10 observations directly tied to a Campaign its difficult to know if they were part of the same incident, were they separate observations of just different parts of the campaign." The great thing about STIX and the new relationship model is that you can do all of them if you want. Tie observations to a campaign and an intrusion set and an incident, each with a different type of relationship. If we had kill chain as an object, then you would just relate the observation with the kill chain object that reflects the stage you want to associate the observation with, and pulling out the observations that were used in each different phase of the kill chain becomes easy. Having a kill chain cv inside an object means we can't associate different types of TLOs with a kill chain easily, and means we need to repeat adding the same kill chain cv to every TLO object in order to support recording the TLO phase. That seems suboptimal to me. I'd still much rather see us have a kill chain TLO and produce a set of 'library objects' that reflect the most common kill chains and their phases, and that would allow implementers to share the same objects for the common kill chains. Cheers Terry MacDonald > > -Gary > >