SYNchroACK
commented
11 months ago An example of Scenario 3
Open SYNchroACK opened 11 months ago
SYNchroACK
commented
11 months ago An example of Scenario 3
adulau
commented
11 months ago It's a complex topic and highly depending of the STIX 2.1 standard itself. It's indeed the case for some use-cases and but some other with specific patterns which are clearly exclusive. @chrisr3d has some clever ideas to improve that.
Is your feature request related to a problem? Please describe.
I believe observable objects must be created regardless of the
to_idsflag and only whento_idsflag is enabled, an indicator should also be generated and a relationship between the indicator and the originated observable objects.Describe the solution you'd like
An attribute, even those whithin an object, should originate an observable, independently of the
to_idsflag.An attribute with
to_idsflag enabled and which do not belong to an object, should originate an indicator and also a relationship between that indicator and the observable.An attribute with
to_idsflag enabled and which belongs to an object, should contribute to a new indicator and in the end, that indicator should have a relationship between that indicator and the observable.Scenario 1
Single attribute with
to_idsflag disabled.MISP Event:
STIX Bundle:
Scenario 2
Object with multiple attributes with
to_idsflag disabled.MISP Event:
STIX Bundle:
Scenario 3
Single attribute with
to_idsflag enabled.MISP Event:
STIX Bundle:
Scenario 4
Object with multiple attributes with
to_idsflag enabled.MISP Event:
STIX Bundle:
Scenario 5
Object with multiple attributes where some has
to_idsflag enabled.MISP Event:
STIX Bundle:
to_idsflag was disabled)Describe alternatives you've considered
No response
Additional context
No response
Code of Conduct