Can sightings support multiple objects?

[danielkelley743]

I have been reading through the documentation and don't see a way to create a sighting that infers multiple objects.

        {
            "type": "sighting",
            "spec_version": "2.1",
            "id": "sighting--8356e820-8080-4692-aa91-ecbe94006836",
            "created_by_ref": "identity--5206ba14-478f-4b0b-9a48-395f690c20a2",
            "created": "2017-02-28T19:37:11.213Z",
            "modified": "2017-02-28T19:37:11.213Z",
            "first_seen": "2017-02-27T21:37:11.213Z",
            "last_seen": "2017-02-27T21:37:11.214Z",
            "count": 1,
            "description": "test",
            "sighting_of_ref": "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd", 
            "where_sighted_refs": [
                "identity--5206ba14-478f-4b0b-9a48-395f690c20a2"
            ]

I have tried pointing sighting_of_ref to an observable object like this "sighting_of_ref": "observed-data--cf8eaa41-6f4c-482e-89b9-9cd2d6a83cb1", (which contains multiple object refs) but no luck:

      {
          "type": "observed-data",
          "spec_version": "2.1",
          "id": "observed-data--cf8eaa41-6f4c-482e-89b9-9cd2d6a83cb1",
          "created_by_ref": "identity--39012926-a052-44c4-ae48-caaf4a10ee6e",
          "created": "2017-02-28T19:37:11.213Z",
          "modified": "2017-02-28T19:37:11.213Z",
          "first_observed": "2017-02-27T21:37:11.213Z",
          "last_observed": "2017-02-27T21:37:11.213Z",
          "number_observed": 1,
          "object_refs": [
              "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd",
              "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742ee"
          ]
        },

What is the correct way to do this?

[rpiazza]

Hi,

When you observe something like an IP Address (or a SCO in general), you indicate that using the Observed Data object - as you did above. You don't need to use sightings to state that you have seen an SCO - because the observed data object already "says" that.

However, since an Observed Data object is an SDO - I am surprised the API didn't let you. Perhaps you can send us a stack trace or some other info.

If you look at the sighting's sighting_of_ref property in the spec, it says that the reference must be to an SDO. Sightings are more to share an intelligence assertion. You want to share that you believe some high level fact is true at your site - i.e., you have seen evidence that a threat actor is active. You might put the SCO information in the observed_data_refs property, if you want to add those details (but it is optional).

Sharing that you think a threat actor is active because you saw an IP Address would be helpful by sharing an indicator that says - look for that IP address.

But thanks for bringing this up. The specification should be clearer.

[danielkelley743]

Interesting.

Just some clarification on my strange request:

I'm trying to find a way to keep track of entire STIX2 bundle imports in OpenCTI. I need a point of reference in STIX2. The closest thing I could find, for doing this, would be sightings which is why I'm trying to do it this way. I need to be able to say, for example, that a set of data (ip addresses, domain names etc) inside a STIX2 bundle were imported on a specific day, and then keep track of that bundle if that makes sense.

Any additional input is appreciated; however, your answer has been helpful, thank you.

[clenk]

In STIX 2, bundles are not supposed to have any semantic meaning, and aren't considered related, but the Grouping object does. Would you be able to use the Grouping object for this? Does OpenCTI track when objects were added? Some tools, such as a TAXII server, will track that outside of the STIX objects themselves.

[danielkelley743]

Guys, your input has been very valuable, thank you!

Just a final QQ: is it possible to map multiple observable or object types to "sighting_of_ref" ?

Right now, I am using it like this:

        {
            "type": "sighting",
            "spec_version": "2.1",
            "id": "sighting--8356e820-8080-4692-aa91-ecbe94006836",
            "created_by_ref": "identity--f7f3f047-1009-5e3b-afac-6dfee45e65fa",
            "created": "2017-02-28T19:37:11.213Z",
            "modified": "2017-02-28T19:37:11.213Z",
            "first_seen": "2017-02-27T21:37:11.213Z",
            "last_seen": "2017-02-27T21:37:11.214Z",
            "count": 1,
            "description": "test",
            "sighting_of_ref": "observed-data--cf8eaa41-6f4c-482e-89b9-9cd2d6a83cb1",
            "where_sighted_refs": [
                "identity--f7f3f047-1009-5e3b-afac-6dfee45e65fa"
            ]
        }

But desire to do something like this:

        {
            "type": "sighting",
            "spec_version": "2.1",
            "id": "sighting--8356e820-8080-4692-aa91-ecbe94006836",
            "created_by_ref": "identity--f7f3f047-1009-5e3b-afac-6dfee45e65fa",
            "created": "2017-02-28T19:37:11.213Z",
            "modified": "2017-02-28T19:37:11.213Z",
            "first_seen": "2017-02-27T21:37:11.213Z",
            "last_seen": "2017-02-27T21:37:11.214Z",
            "count": 1,
            "description": "test",
            "sighting_of_ref": [
              "domain-name--3c10e93f-798e-5a26-a0c1-08156efab7f5",
              "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742de",
            ]
            "where_sighted_refs": [
                "identity--f7f3f047-1009-5e3b-afac-6dfee45e65fa"
            ]
        }

Based on the documentation, I am guessing it's not possible?

An ID reference to the SDO that was sighted (e.g., Indicator or Malware).
For example, if this is a Sighting of an Indicator, that Indicator’s ID would be the value of this property.
This property MUST reference only an SDO or a Custom Object.

[rpiazza]

@danielkelley743 - the issue is that the sighting_of_ref's value is a single identifier reference, so a list of them wouldn't be valid. @clenk suggested the grouping SDO, which you could use in this use case, but also instead of the sighting object for your overall use case. Lastly, if you are using TAXII, it contains manifests, which indicate when an object was "added".