Stix Difficulties: Are CybOX <Object> IDs used in STIX?

[terrymacdonald]

PROBLEM

There is some confusion as to whether cybox:Object ID’s are actually useful within STIX. Using the example below:

<cybox:Observables>
    <cybox:Observable id="example:Observable-e8ecf273-4f4d-46f2-834e-9381c30799d5">
        <cybox:Object id="example:Object-8108c0dc-bded-4b0c-b423-8b92ef1d6503">
            <cybox:Properties xsi:type="AddrObj:AddressObjectType" category="ipv4-addr">
                <AddrObj:Address_Value>192.168.1.1</AddrObj:Address_Value>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

Most of the time the Observable is the one being referenced. The Object appears to be a layer that is there to add flexibility to a structure that is already potentially ‘overly’ flexible.
Implementers are required to record and track the cybox:Object IDs, even though they appear to be infrequently used.

POTENTIAL ANSWER

Do we actually require both the CybOX Object and CybOX Observable layers? Can they combined together without too much loss of flexibility? Maybe something closer to the following structure:

<stix:Observation id="example:Observation-fe2c7b98-6e75-462b-b94f-e18024d4f4f0">
    <cybox:Object id="example:Object-8108c0dc-bded-4b0c-b423-8b92ef1d6503">
        <cybox:Properties xsi:type="AddrObj:AddressObjectType" category="ipv4-addr">
            <AddrObj:Address_Value>192.168.1.1</AddrObj:Address_Value>
        </cybox:Properties>
    </cybox:Object>
</stix:Observation>

Observation has an Object that has Properties.

This topic is closely related to section 23 – “Which to use? Indicator Composition, Observable Composition, or referenced Object?”, and should probably be discussed as part of that.