Open sbarnum opened 10 years ago
sbarnum
commented
9 years ago The following was previously in Issue #17 that has been merged into this issue:
Add ability to express ordered and unordered sets of observables with or without temporal windows/relationships.
For example, it would be helpful to express the temporal relationships between observed events and the creation/modification/removal/etc. of other observables.
JasonKeirstead
commented
9 years ago I just added this same RFE to the STIX project for Indicator composition.
My proposal was to extend @OperatorTypeEnum which currently only contains AND and OR, to have a third operator called SEQUENCE. However I am not sure this will suffice at the CybOX observable level because observable does not have a notion of Valid_Time_Position like a STIX indicator does.
It would be useful to add a temporal context to CybOX patterns such that you could say things like "Action A occurring > 5 times in 1 hour" or "Action B occurring less than 1 minute after Action A"
Real world use cases are numerous and often more complex than these simple examples.
This has been targeted since CybOX initial creation but not yet implemented.