Closed aryabharat closed 8 months ago
Hi @aryabharat,
I wrote the slider years ago, and haven't used STIX 1 in ages - so in order to help you, can you send me what you think the "correct" XML would be. Why isn't this what you want?
type="URL" Hi @rpiazza Thanks for a quick response:
The response should contains a property type in cyboxCommon:Property field. In the given case:
`
Hi @rpiazza Created a PR for the same, Please check. https://github.com/oasis-open/cti-stix-slider/pull/66
@aryabharat - I've looked into this - it does appear to be necessary, but I'm not sure why. Do you have any insight? What doesn't work if you don't have type="URL
@rpiazza So type is a optional fileld in stix1.x cybox:Properties
The issue we faced was while getting polled by a Qradar server, the URL indicator were not getting passed if they don't have a type in the cybox:Properties field in case of 1.x polling.
Can you sign the CLA?
@rpiazza Already signed. Please let me know if something else ids needed.
Please look at https://github.com/oasis-open/cti-stix-slider/pull/66. It doesn't appear to be signed...
@rpiazza The CLA is signed.
For given a stix2.1 bundle, upon converting it to stix1.x the final xml is missing type="URL" in cybox:Properties"> property. This is observed in case of indicator with URL.
Example:
{ "type": "bundle", "id": "bundle--a9d9a0c5-8e15-42b8-9795-45f32a003161", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:AMBER", "definition": { "tlp": "amber" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f9ca508e-3b75-4d25-955a-e3f150974691", "created": "2024-01-10T22:08:13.811Z", "modified": "2024-01-10T22:08:14.811Z", "name": "aklab3.com/favicon.ico", "indicator_types": [ "anomalous-activity" ], "pattern": "[url:value = 'aklab3.com/favicon.ico']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-01-10T22:08:10.07Z", "valid_until": "2024-01-17T22:08:10.07Z", "labels": [ "Recently Reported Spam or Unwanted Content", "Recently Detected Malware Distribution", "Historically Reported Spam or Unwanted Content", "Historically Detected Malware Distribution" ], "confidence": 65, "object_marking_refs": [ "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82" ], "x_ctix_confidence_score": 25 } ] }
</stix:STIX_Package>\n`