search

johnwunder / twigs

STIX 2.0 Strawman
http://twigs-cti.herokuapp.com/
MIT License
7 stars 3 forks source link

Are CybOX <Object> IDs used in STIX? #29

Open terrymacdonald opened 8 years ago

terrymacdonald commented 8 years ago

PROBLEM

There is some confusion as to whether cybox:Object ID’s are actually useful within STIX. Using the example below:

<cybox:Observables>
    <cybox:Observable id="example:Observable-e8ecf273-4f4d-46f2-834e-9381c30799d5">
        <cybox:Object id="example:Object-8108c0dc-bded-4b0c-b423-8b92ef1d6503">
            <cybox:Properties xsi:type="AddrObj:AddressObjectType" category="ipv4-addr">
                <AddrObj:Address_Value>192.168.1.1</AddrObj:Address_Value>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

Most of the time the Observable is the one being referenced. The Object appears to be a layer that is there to add flexibility to a structure that is already potentially ‘overly’ flexible. Implementers are required to record and track the cybox:Object IDs, even though they appear to be infrequently used.

POTENTIAL ANSWER

Do we actually require both the CybOX Object and CybOX Observable layers? Can they combined together without too much loss of flexibility? Maybe something closer to the following structure:

<stix:Observation id="example:Observation-fe2c7b98-6e75-462b-b94f-e18024d4f4f0">
    <cybox:Object id="example:Object-8108c0dc-bded-4b0c-b423-8b92ef1d6503">
        <cybox:Properties xsi:type="AddrObj:AddressObjectType" category="ipv4-addr">
            <AddrObj:Address_Value>192.168.1.1</AddrObj:Address_Value>
        </cybox:Properties>
    </cybox:Object>
</stix:Observation>

Observation has an Object that has Properties.

This topic is closely related to section 23 – “Which to use? Indicator Composition, Observable Composition, or referenced Object?”, and should probably be discussed as part of that.