Should Observed Data objects be referred to in sighting_of_ref property of Sightings

[rpiazza]

Kinda seems nonsensical....

[rpiazza]

Sightings relate an SDO to one or more Observed Data objects.

For example:

• an Indicator was sighted because I observed SCOs that matched the Indicator's pattern
• I observed some SCO, therefore I have sighted a threat actor (with high confidence)

The normative statement for sighting_of_ref property is: This property MUST reference only an SDO.

But this is misleading because that implies you can put a reference to an Observed Data object (which is an SDO w/ time period) as the value of the sightings_of_ref property. That doesn't make much sense because Sightings are for making inferences about what is known because some SCOs have been observed.

Saying you know you observed some SCO because another SCO was observed doesn't make much sense because Observed Data objects explicitly says that an SDO was observed at a particular time. Observing SCOs isn't really doesn't infer you saw another SCO. The only way to know that is if you have an Observed Data for the latter SCO.