Sighting Entities

A Sighting is a record of the appearance of a cyber threat indicator match at a given date and time. This can be a pattern match in a rule matching engine or expert system, or an observable feed based indicator such as an IP or domain blacklist.

Sightings can optionally include cyber threat observables, such as domain names, URLs, IP addresses, file hashes, registry keys, and more. When a sighting includes an observable and has a relationship to an indicator, it provides threat intelligence context about the observable, allowing a threat analyst or incident responder to understand why the observable warranted the creation of a sighting.

Sighting Field Summary

Required Sighting Fields

  • observed_time - Must include a start_time datetime string. This field is used to document a point-in-time when the observable was seen. See below for an example.
  • confidence - Must be one of ["Info", "Low", "Medium", "High", "None", "Unknown"].
  • count - The number of times the observable was seen.

Optional Sighting Fields

  • observables - The object(s) of interest, structured as an observable, defined above.
  • relations - These are relations within a sighting, which provides any context about where the observable(s) came from. See below for more information.
  • internal - A boolean value describing if this sighting is internal to our network.
  • severity - Must be one of the following: ["Info", "Low", "Medium", "High", "None", "Unknown"].
  • resolution - Must be one of the following: ["detected" "blocked" "allowed" "contained"].
  • sensor - The OpenC2 Actuator name that best fits the device that is creating this sighting (for example, network-firewall, sensor, endpoint, network-device, human). Valid sensor types are enumerated in the CTIM vocabularies schema.
  • targets - An enumeration of target devices where the sighting came from. See below for more information.

Targets

Target entries are structured as follows:

Target Field Summary

Required Target Fields

  • type - Must be a sensor type, as defined above.
  • observables - Must be a vector of observables, as defined above.
  • observed_time - The time at which the observable was seen.

Optional Target Fields

  • os - Operating system name.
  • properties_data_tables - A URI leading to a data table.

Example Target

{
    "type":"network.firewall",
    "observables":[
        {
            "type":"ip",
            "value":"187.75.16.75"
        }
    ],
    "observed_time":{
        "start_time":"2019-03-01T20:01:27.368Z"
    }
}

Observables vs Observed Relations

Earlier we discussed that not everything we are able to observe merits being turned into an observable. For sightings, this is made even more explicit by the inclusion of the relations field, which allows us to provide additional context about the observable that is the object of the sighting.

For example, we have a known malicious domain (baddomain.com). At the time that we saw the domain being contacted (triggering the creation of a sighting), we might know that the domain resolved to the IPv4 address 8.8.8.8. We know from months of tracking this malicious domain that it is bad news. However, we would not create a second judgment on the associated IPv4 address. This is because the IP isn't the actual observable that triggered our malicious judgment. It is useful context, but it is not a malicious IP address. It is actually the IP address of Google's DNS servers.

Instead, the fact that this domain resolved to this IP address at the time of the sighting should be captured in the relations key of the sighting.

Observed Relation Field Summary

  • origin - Origin of this relation information.
  • origin_uri - Optional URI of origin data.
  • source - The main observable of the sighting.
  • related - The related observable that is defined by the relation, below.
  • relation - The nature of the relationship between the observables. The relations that can exist between observables is an "open vocabulary", so you can add your own. However, we have a very thorough collection of predefined observable relations in the CTIM Schema.

Example Observed Relation

{
    "origin":"Modeling Threat Intelligence in CTIM Tutorial",
    "origin_uri":"https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md",
    "source":{
        "type":"domain",
        "value":"baddomain.com"
    },
    "target":{
        "type":"ip",
        "value":"8.8.8.8"
    },
    "relation":"Resolved_To"
}

Example Sighting

{
    "type":"sighting",
    "source":"Modeling Threat Intelligence in CTIM Tutorial",
    "source_uri":"https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md",
    "observables":[
        {
            "type":"ip",
            "value":"187.75.16.75"
        }
    ],
    "external_ids":[
        "ctim-tutorial-sighting-7b36e0fa2169a3ca330c7790f63c97fd3c9f482f88ee1b350511d8a51fcecc8d"
    ],
    "id":"transient:ctim-tutorial-sighting-7b36e0fa2169a3ca330c7790f63c97fd3c9f482f88ee1b350511d8a51fcecc8d",
    "count":1,
    "severity":"High",
    "tlp":"green",
    "timestamp":"2019-03-01T20:01:27.368Z",
    "confidence":"High",
    "observed_time":{
        "start_time":"2019-03-01T20:01:27.368Z"
    }
}