ObservableTypeCybOX Core Schema

The id field specifies a unique id for this Observable.

The idref field specifies a unique id reference to an Observable defined elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.

The negate field, when set to true, indicates the absence (rather than the presence) of the given Observable in a CybOX pattern.

The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.

The Title field provides a mechanism to specify a short title or description for this Observable.

The Description field provides a mechanism to specify a structured text description of this Observable.

Keywords enables capture of relevant keywords for this cyber observable.

The Observable_Source field is optional and enables descriptive specification of how this Observable was identified and specified.

The Object construct identifies and specifies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).

The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).

The Observable_Composition construct enables specification of composite observables made up of logical constructions of atomic observables or other composite observables (e.g. Obs5 = (Obs1 OR Obs2) AND (Obs3 OR Obs4)).

Pattern_Fidelity contains elements that enable the characterization of the fidelity of this pattern to its purpose.