observeddata

type ObservedData ¶

type ObservedData struct {
	baseobject.CommonObjectProperties
	FirstObserved  string `json:"first_observed,omitempty"`
	LastObserved   string `json:"last_observed,omitempty"`
	NumberObserved int    `json:"number_observed,omitempty"`
	Objects        string `json:"objects,omitempty"`
}

ObservedData - This type implements the STIX 2 Observed Data SDO and defines all of the properties methods needed to create and work with the STIX Observed Data SDO. All of the methods not defined local to this type are inherited from the individual properties.

The following information comes directly from the STIX 2 specification documents.

Observed Data conveys information that was observed on systems and networks using the Cyber Observable specification defined in parts 3 and 4 of this specification. For example, Observed Data can capture the observation of an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply information: this file was seen, without any context for what it means.

Observed Data captures both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity. When the number_observed property is 1 the Observed Data is of a single entity. When the number_observed property is greater than 1, the observed data consists of several instances of an entity collected over the time window specified by the first_observed and last_observed properties. When used to collect aggregate data, it is likely that some fields in the Cyber Observable Object (e.g., timestamp fields) will be omitted because they would differ for each of the individual observations.

Observed Data may be used by itself (without relationships) to convey raw data collected from network and host-based detection tools. A firewall could emit a single Observed Data instance containing a single Network Traffic object for each connection it sees. The firewall could also aggregate data and instead send out an Observed Data instance every ten minutes with an IP address and an appropriate number_observed value to indicate the number of times that IP address was observed in that window.

Observed Data may also be related to other SDOs to represent raw data that is relevant to those objects. The Sighting object, which captures the sighting of an Indicator, Malware, or other SDO, uses Observed Data to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active).

func New() *ObservedData

func (o *ObservedData) SetFirstObserved(t interface{}) error

func (o *ObservedData) SetFirstObservedToCurrentTime() error

func (o *ObservedData) SetLastObserved(t interface{}) error

func (o *ObservedData) SetLastObservedToCurrentTime() error

func (o *ObservedData) SetNumberObserved(i int) error

func (o *ObservedData) SetObjects(s string) error