Download presentation
Presentation is loading. Please wait.
1
Top Level Sighting Object
Why? No independent way to say ‘I saw this’ Sightings currently buried under Indicator Adding a Sighting means sending updated Indicator If you have 1000 new sightings that’s a lot of Indicators to reissue A top-level Sighting Object allows Sightings to be sent independently
2
Sighting Object discussion
Should a Sighting Object only reference ‘detected’ information (e.g. Observable Instances only) OR Should a Sighting Object reference any other top-level Object (e.g. Threat Actor’s, TTPs, etc) Should a Sighting Object reference some top-level Objects based on STIX model (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)
3
Sighting Object possible fields
One or more referenced objects (i.e. idref) Sighting Count Timestamp / Time Period Victim Organization information Producer Organization information Sighting Confidence TLP / Data Markings Alternative Sighting ID Sighting Type Title Description Short Description Version
4
Sighting Object UML Strawman
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.