Should sighting object support an Observable Data ref in the sighting_of_ref property? #296
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When you observe something like an IP Address (or a SCO in general), you indicate that using the Observed Data object. You don't need to use sightings to state that you have seen an SCO - because the observed data object already "says" that.
If you look at the sighting's sighting_of_ref property in the spec, it says that the reference must be to an SDO. Sightings are more to share an intelligence assertion. You want to share that you believe some high level fact is true at your site - i.e., you have seen evidence that a threat actor is active. You might put the SCO information in the observed_data_refs property, if you want to add those details (but it is optional).
Observable Data is an SDO, so it "legal" to put a ref to one in the sighting_of_ref property, but as stated above, it is somewhat redundant. Additionally, since there is an explicit property to put Observable Data refs (observed_data_refs), it can be confusing.
I suggest we restrict the sighting_of_ref property to not support a reference to an Observable Data object.
The text was updated successfully, but these errors were encountered: