Skip to main content

Cyware Threat Intelligence eXchange

Sightings

Notice

This feature is available in Intel Exchange from the release version v3.7.1.0 (Early Access).

In STIX, a Sighting STIX Relationship Object (SRO) is a type of object that indicates the belief that something was seen in cyber threat intelligence (CTI). Sighting SROs contain information about when an SDO was seen, such as when it was first seen and last seen. When SRO sightings are received as related objects from the data sources for an object, you can view the details of the sightings in the Sightings tab.

The Overview section provides details of all related sightings of an object consolidated from all data sources. The details include:

  • First Seen: The earliest seen date reported by the sources.

  • Last Seen: The latest seen date reported by the sources.

  • Sighting Count: The latest reported sighting count.

  • TLP: The highest TLP value based on the aggregation of the sources.

  • Identity Objects: The total count of Identity objects associated with the sightings.

  • Location Objects: The total count of Location objects associated with the sightings.

  • Observed Data Objects: The total count of Observed Data objects associated with the sightings.

You can view all the sighting objects associated with an object in the Sighting Details section. Expand a sighting to view complete details of the sighting as reported by the source, such as the source name, sighting count, created and modified dates, and details of the associated Identity, Location, and Observed Data objects.

Manage Sightings

You can perform the following activities to manage a list of sightings:

  • Search sightings based on the title.

  • Filter sightings based on the sighting ID, object type, and relationship type.

Note

You can use the threat investigation canvas to visualize the related sighting objects, but you cannot add a sighting node in the threat investigation canvas.

You can perform the following activities to manage a sighting object:

  • View in Threat Data: Opens a list of all related objects in Threat Data in a new tab.

  • Mark as Revoked: Removes the sighting object from all published STIX collections and re-publishes the STIX collections.

    Important

    You cannot reverse the revoked status of a sighting object later.

  • Delete: Deletes the relationship of the sighting with the threat data object.