Stix Difficulties: Observable Patterns and Observable Instances differences aren’t easily discerned

[terrymacdonald]

PROBLEM

Observables, Observable Patterns and Observable Instances aren’t easy for new Users to understand and discern the differences between. It took me months to realize that that Observables were actually made up of CybOX Observable Instances and CybOX Observable Patterns.

The difference between the CybOX Observable Instances and CybOX Observable Patterns and the rules to tell them apart are not obvious enough.

This leads on to the fact that Indicator Observables are often used to describe Observable Instances, when they really should be storing the things we are looking for - Observable Patterns. Observable Instances should instead be described separately within the STIX Observables construct and then referenced back as Sightings.

POTENTIAL ANSWER

The name of Observable Instances should be changed to become STIX ‘Observations’. This would provide the following hierarchy:

CybOX Observable -> STIX Observation.

STIX Observations should be restricted from used within the STIX Indicator object.
The name of Observable Patterns should be changed to become STIX ‘Patterns’. STIX Patterns should only be allowed to live within the STIX Indicator Object, describing what one would need to look for in order for the Indicator to trigger. This would provide the following hierarchy:

CybOX Observable -> STIX Pattern -> STIX Indicator.

This will help greatly with Sightings (in conjunction with the top-level relationship object), as a Sighting now becomes as easy as sending a new Sighting object and a relationship object back to the producer of the Indicator. This will allow Indicator producers to get independent feedback from third-parties with Sightings of that Indicator. This will potentially help producers refine their Indicators to make them reliable.