Stix Difficulties: Which to use? Indicator Composition, Observable Composition, or referenced Object?

[terrymacdonald]

PROBLEM

There are multiple ways that Indicators and Objects can be composed/related together as part of an Indicator. If a producer has discovered an Indicator of badness that describes an email with an attachment, there are a few different ways of describing that:
 
Too many ways to compose Indicators, Observables and Objects together

1. A composite indicator including two indicators, with the first referencing the email Observable with a single email object, and the other Indicator referencing the attachment Observable with a single attachment object
2. A single indicator including an Observable Composition, with the first Observable containing a single email object, and the 2nd Observable containing a single attachment object
3. A single indicator including a single Observable containing two Objects – the first Object describing the email, and it containing a Related_Object reference to the single attachment object.

This is multiple levels of variability, and very confusing for new users of STIX. There must be a way of making it simpler – or even better restricting it to the ‘one way to do it’.

POTENTIAL ANSWER

All three layers of variation may not be required. Anecdotally it seems most people are only really using Observable_Compositions. This may indicate that Indicator_Composition and Related_Objects are not required in STIX v2.0.

We should do a survey to see who is using what, and use that evidence as the basis for our future design.

Section 24- “Are CybOX IDs used in STIX?” has some details on the use of Object ID’s as there have been some questions whether Cybox:Objects actually need IDs at all. This topic and that topic are closely related.