Sighting
A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior.
The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted.
Sighting relationships relate three aspects of the sighting:
- What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref)
- Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs)
- What was actually seen on systems and networks, represented as Observed Data (observed_data_refs)
What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value.
Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious.
Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor".
Properties
| Property | Type | Description |
|---|---|---|
typeoptional | string | The type of this object, which MUST be the literal `sighting`. |
descriptionoptional | string | A description that provides more details and context about the Sighting. |
first_seenoptional | string | Represents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'. |
last_seenoptional | string | Represents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'. |
countoptional | integer | This is an integer between 0 and 999,999,999 inclusive and represents the number of times the object was sighted. |
sighting_of_refrequired | | An ID reference to the object that has been sighted. |
observed_data_refsoptional | list | A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting. |
where_sighted_refsoptional | list | A list of ID references to the Identity or Location objects describing the entities or types of entities that saw the sighting. |
summaryoptional | boolean | The summary property indicates whether the Sighting should be considered summary data. |