malware analyses are not complient with Stix norm 2.1 when containing a `sample` reference to domain name, url and hostname observables

[tomibennett]

Description

As of today in OpenCTI, malware analyses can be run on more observables than supported by the STIX norm. Thoses observables are:

• domain name
• hostname
• url

When exporting analyses run on one of those observable, the reference is contained in the same field (i.e. sample_ref) than those supported by the norm.

This is correct:

{
 "id": "malware-analysis--9a037eec-c0b6-560c-89a8-7207637c9d74",
 "spec_version": "2.1",
 "revoked": false,
 "confidence": 75,
 "created": "2023-06-16T12:53:01.522Z",
 "modified": "2023-06-16T12:53:01.522Z",
 "product": "ma network",
 "result_name": "ma network",
 "submitted": "2023-06-15T22:00:00.000Z",
 "x_opencti_id": "d9cf369d-a711-41dd-9989-2d4ee23ac80d",
 "type": "malware-analysis",
 "sample_ref": "network-traffic--cd64a357-98d7-54df-bd89-405e7e5b84bd"
}

sample_ref value is an id to a network traffic (which is supported by the norm).

This is not:

{
 "id": "malware-analysis--525db614-32d4-56f6-9864-7978e7d029ae",
 "spec_version": "2.1",
 "revoked": false,
 "confidence": 75,
 "created": "2023-06-16T13:00:05.290Z",
 "modified": "2023-06-16T13:00:05.290Z",
 "product": "ma domain",
 "result_name": "ma domain",
 "submitted": "2023-06-15T22:00:00.000Z",
 "x_opencti_id": "766bb6c6-6360-4fc4-a068-b86f7c6e56d2",
 "type": "malware-analysis",
 "sample_ref": "domain-name--52a689b8-627d-5d37-8785-c3b96727f750"
}

sample_ref value is an id to a domain name(which is unsupported by the norm).

Reproducible Steps

1. create a malware analysis
2. reference a domain name (or a hostname, or an url) with the sample relation
3. export it

Expected Output

Stix norm supports a field named extensions. Make use of it could be a solution

[SamuelHassine]

Turning this to feature as it is not critical for the moment to have more object types supported in the sample_ref than the standard. Should be indeed addressed in extensions later.