As of today in OpenCTI, malware analyses can be run on more observables than supported by the STIX norm. Thoses observables are:
domain name
hostname
url
When exporting analyses run on one of those observable, the reference is contained in the same field (i.e. sample_ref) than those supported by the norm.
Turning this to feature as it is not critical for the moment to have more object types supported in the sample_ref than the standard. Should be indeed addressed in extensions later.
Description
As of today in OpenCTI, malware analyses can be run on more observables than supported by the STIX norm. Thoses observables are:
When exporting analyses run on one of those observable, the reference is contained in the same field (i.e.
sample_ref
) than those supported by the norm.This is correct:
sample_ref
value is an id to a network traffic (which is supported by the norm).This is not:
sample_ref
value is an id to a domain name(which is unsupported by the norm).Reproducible Steps
sample
relationExpected Output
Stix norm supports a field named
extensions
. Make use of it could be a solution