added info about the start events/tasks

extension-definition-specifications/incident-ef7/Incident Extension Suite.adoc

@@ -143,6 +143,8 @@ These values *SHOULD* be selected from the [stixtype]#<<detection-methods-ov,det
 |A list of events tied to this incident.
 It *MUST* contain references to one or more [stixtype]#<<event, event>># objects.
 
+Events can be grouped into sequences based on the *next_event_refs* property of the relevant [stixtype]#<<event, event>># Event objects. Events that are the first in a sequence are not referenced by any *next_event_refs* property.
+
 |*impact_refs* (optional)
 |[stixtype]#{list_url}[list]# of type [stixtype]#{identifier_url}[identifier]#
 |A list of the impacts of this incident.
@@ -179,6 +181,7 @@ enumeration.
 |A list of tasks tied to this incident.
 It *MUST* contain references to one or more [stixtype]#<<task,task>># objects.
 
+Tasks can be grouped into sequences based on the *next_task_refs* property of the relevant [stixtype]#<<task, task>># Event objects. Tasks that are the first in a sequence are not referenced by any *next_task_refs* property.
 
 |===
 
@@ -381,7 +384,7 @@ Not all events have goals.
 |A list of [stixtype]#{sighting_url}[sighting]# objects that were related to this event.
 Sightings referenced in this *SHOULD* be based on [stixtype]#{attack_pattern_url}[attack-pattern]#, [stixtype]#{indicator_url}[indicator]#, or [stixtype]#{malware_url}[malware]# SDOs.
 
-Using the *sighting_refs* property to relate an [stixtype]#<<event,event>># to an SDO is preferred over using an SRO.
+The *sighting_refs* property *SHOULD* be used to relate an [stixtype]#<<event,event>># to an SDO, instead of using right an SRO.
 
 In some cases observed data may be present, but no [stixtype]#{indicator_url}[indicator]# can be created.
 In these cases it is recommended to use an [stixtype]#{attack_pattern_url}[attack-pattern]# using the name or description of the behavior or rule that triggered the sighting.