If you have an Indicator, and you wish to send that out in a manner that matches best practice, you are encouraged to use a TTP, even if that TTP does not add that much value. In addition one requires either a TTP or Incident in most cases to connect an Indicator to other things. As mentioned above in section 21, it may be worth investigating if this does actually need to be the case. It may be worth creating more flexibility in the relationships that are allowed within STIX.
POTENTIAL ANSWER
This may be more of a tooling problem or ‘best practice’ recommendation problem than actually a problem with STIX.
Please see section “21. Relationships are constrained to limited Objects within STIX” above.
PROBLEM
If you have an Indicator, and you wish to send that out in a manner that matches best practice, you are encouraged to use a TTP, even if that TTP does not add that much value. In addition one requires either a TTP or Incident in most cases to connect an Indicator to other things. As mentioned above in section 21, it may be worth investigating if this does actually need to be the case. It may be worth creating more flexibility in the relationships that are allowed within STIX.
POTENTIAL ANSWER
This may be more of a tooling problem or ‘best practice’ recommendation problem than actually a problem with STIX.
Please see section “21. Relationships are constrained to limited Objects within STIX” above.