The goal here is to make it as easy as possible to just say, “I saw this”. The short of the story is, with the Sightings Object you can say “I saw this ref_id”.
I ask that the SC review and give feedback. Fair warning, we may start flushing out the relationship object and identify overlap.
Aharon
From: <
cti-stix@lists.oasis-open.org > on behalf of Terry MacDonald <
terry@soltra.com >
Date: Monday, October 26, 2015 at 1:59 PM
To: "
cti-stix@lists.oasis-open.org " <
cti-stix@lists.oasis-open.org >
Subject: [cti-stix] Top-level Sighting Object from last meeting
Hi All,
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again. So here are the slides. Please feel free to comment/feedback/complain/call
me names.
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that
Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.
Cheers
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com