CTI STIX Subcommittee

Re: [cti-stix] Top-level Sighting Object from last meeting

  • 1.  Re: [cti-stix] Top-level Sighting Object from last meeting

    Posted 10-26-2015 21:30






    The goal here is to make it as easy as possible to just say, “I saw this”. The short of the story is, with the Sightings Object you can say “I saw this ref_id”.



    I ask that the SC review and give feedback. Fair warning, we may start flushing out the relationship object and identify overlap. 


    Aharon









    From: < cti-stix@lists.oasis-open.org > on behalf of Terry MacDonald < terry@soltra.com >
    Date: Monday, October 26, 2015 at 1:59 PM
    To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: [cti-stix] Top-level Sighting Object from last meeting








    Hi All,
     
    Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call
    me names.
     
    Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that
    Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.
     
    Cheers
     
    Terry MacDonald
    Senior STIX Subject Matter Expert
    SOLTRA   An FS-ISAC and DTCC Company
    +61 (407) 203 206
    terry@soltra.com