Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

EnhancedSighting

Jump to bottom Edit New page
Alexandre Dulaunoy edited this page Feb 18, 2017 · 2 revisions

Enhanced Sighting

The original version of sighting was basically very minimal (even if this is was already an improvement over the STIX 1.0 sighting).

Old format (pre 2.4.65)

+---------------+------------+------+-----+---------+----------------+
| Field         | Type       | Null | Key | Default | Extra          |
+---------------+------------+------+-----+---------+----------------+
| id            | int(11)    | NO   | PRI | NULL    | auto_increment |
| attribute_id  | int(11)    | NO   | MUL | NULL    |                |
| event_id      | int(11)    | NO   | MUL | NULL    |                |
| org_id        | int(11)    | NO   | MUL | NULL    |                |
| date_sighting | bigint(20) | NO   |     | NULL    |                |
+---------------+------------+------+-----+---------+----------------+

Extended format (starting from 2.4.66)

Based on common use-cases, sighting can come from various source (honeypot, IDS sensor id, SIEM). source is an optional free text field assigned by the organisation to uniquely identify the source of a specific sighting. uuid has been added to allow the sharing of the sightings. type describes the type of sighting which is by default 0 (the original definition).

type list:

  • (0) default sighting meaning the referenced attribute has been sighted.
  • (1) a false-positive sighting meaning the sighing has been interpreted as a false-positive by the organisation.
  • (2) an expiration sighting which defines when the referenced attribute is expired following the defined date_sighting.
+---------------+------------+------+-----+---------+----------------+
| Field         | Type       | Null | Key | Default | Extra          |
+---------------+------------+------+-----+---------+----------------+
| id            | int(11)    | NO   | PRI | NULL    | auto_increment |
| uuid          | varchar(40)| NO   | UNI | NULL    |                |
| attribute_id  | int(11)    | NO   | MUL | NULL    |                |
| event_id      | int(11)    | NO   | MUL | NULL    |                |
| org_id        | int(11)    | NO   | MUL | NULL    |                |
| source        | varchar(255)| NO  |     | NULL    |                |
| type          | int(11)    | NO   |     | 0       |                | 
| date_sighting | bigint(20) | NO   |     | NULL    |                |
+---------------+------------+------+-----+---------+----------------+

The new fields are source, type, uuid.

Add a custom footer
Add a custom sidebar

Clone this wiki locally