twigs / core data model / observation

A observation of potentially malicious activity

Fields

Name Type Description
type ["observation"] Hardcoded value to indicate what type of construct this is
id string Globally unique identifier for this construct.
revision integer The revision number of this construct. MUST be omitted if this is the first version, otherwise required.
created_at string Time at which this construct was created.
external_ids array <object> A list of external identifiers by which this construct may be known.
source string The source of this ID, i.e. name of an external system.
id string ID itself
link string A link to this construct in the external system
producer_ref string ID to the information source that produced this content
marking_refs array <string> The set of markings to be applied to this construct
structured_markings array <structured-marking> The set of L2 markings to be applied to this construct
controlled_structures array <string> A list of JSONPath statements, rooted at the top-level object that the structured_markings key is contained in, that the marking_refs apply to.
marking_refs array <string> The set of markings applied to the fields selected by the controlled_structures.
object object CybOX object that characterizes this construct
action object CybOX action that characterizes this construct
observed_at array <string> A list of times that this sighting was observed.
observed_at_precision string

Relationships

Relationship Name Target Type
relatedattack-pattern, campaign, configuration, course-of-action, exploit, incident, indicator, malicious-infrastructure, kill-chain, kill-chain-phase, malware, observation, persona, report, threat_actor, malicious-tool, victim-targeting, vulnerability, weakness
sightedindicator
duplicate-ofobservation
characterizesasset