From ba18bbf3f3b7fd6e2e1cf0f191706ff791344128 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Mon, 30 Jan 2017 22:33:18 +0100
Subject: [PATCH] Created EnhancedSighting (markdown)

---
 EnhancedSighting.md | 48 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 EnhancedSighting.md

diff --git a/EnhancedSighting.md b/EnhancedSighting.md
new file mode 100644
index 0000000..68d1457
--- /dev/null
+++ b/EnhancedSighting.md
@@ -0,0 +1,48 @@
+# Enhanced Sighting
+
+The original version of sighting was basically very minimal (even if this is was already an improvement over the STIX 1.0 sighting). 
+
+
+## Current format
+~~~
++---------------+------------+------+-----+---------+----------------+
+| Field         | Type       | Null | Key | Default | Extra          |
++---------------+------------+------+-----+---------+----------------+
+| id            | int(11)    | NO   | PRI | NULL    | auto_increment |
+| attribute_id  | int(11)    | NO   | MUL | NULL    |                |
+| event_id      | int(11)    | NO   | MUL | NULL    |                |
+| org_id        | int(11)    | NO   | MUL | NULL    |                |
+| date_sighting | bigint(20) | NO   |     | NULL    |                |
++---------------+------------+------+-----+---------+----------------+
+~~~
+
+## Extended format
+
+Based on common use-cases, sighting can come from various ```source``` (honeypot,
+IDS sensor id, SIEM). ```source``` is an optional free text field assigned by the organisation
+to uniquely identify the source of a specific sighting. ```uuid``` has been added
+to allow the sharing of the sightings. ```type``` describes the type of sighting
+which is by default 0 (the original definition).
+
+```type``` list:
+
+- (0) default sighting meaning the referenced attribute has been sighted.
+- (1) a false-positive sighting meaning the sighing has been interpreted as a false-positive by the organisation.
+- (2) an expiration sighting which defines when the referenced attribute is expired following the defined date_sighting.
+
+~~~
++---------------+------------+------+-----+---------+----------------+
+| Field         | Type       | Null | Key | Default | Extra          |
++---------------+------------+------+-----+---------+----------------+
+| id            | int(11)    | NO   | PRI | NULL    | auto_increment |
+| uuid          | varchar(40)| NO   | UNI | NULL    |                |
+| attribute_id  | int(11)    | NO   | MUL | NULL    |                |
+| event_id      | int(11)    | NO   | MUL | NULL    |                |
+| org_id        | int(11)    | NO   | MUL | NULL    |                |
+| source        | varchar(255)| NO  |     | NULL    |                |
+| type          | int(11)    | NO   |     | 0       |                | 
+| date_sighting | bigint(20) | NO   |     | NULL    |                |
++---------------+------------+------+-----+---------+----------------+
+~~~
+
+The new fields are ```source```, ```type```, ```uuid```.
\ No newline at end of file