From 2d04d60354efd57cb85ef379f20757f19c793eb1 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 12 Apr 2019 12:05:05 +0200
Subject: [PATCH] chg: [glossary] clarification of the observable definition

---
 GLOSSARY.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/GLOSSARY.md b/GLOSSARY.md
index 1995c15..35d1905 100644
--- a/GLOSSARY.md
+++ b/GLOSSARY.md
@@ -40,10 +40,10 @@ Attributes in MISP can be network indicators (e.g. IP address), system indicator
 can be useful for contextualisation only.
 
 ## Observable
-Some other SIEMs or formats (STIX) use the term observable. This is the same as an attribute in MISP-speak.
+Some other SIEMs or formats (STIX) use the term observable. This is the same as an attribute in MISP-speak. Usually an observable is a MISP attribute without the IDS flag set.
 
 ## MISP Event
-MISP events are encapsulations for contextually linked information
+MISP events are encapsulations for contextually related information represented as attribute and object.
 
 ## MISP Extended Events
 MISP can now extend an event (starting from version 2.4.90). This allows users to build full blown events that extend an existing event, giving way to a combined event view that includes a sum total of the event along with all extending events.