When a stix-shifter connector's "to_stix_map" doesn't use an object name in a mapping, those objects could be silently dropped by async translate/ingest. This happens e.g. with qradar's software:name mapping.
You can tell by inspecting the DB (in this case PostgreSQL but also happens with sqlite3):
From this example you can see that firepit recorded a software:name column (meaning it was in the native qradar data passed into the translate function) which means there should be a software table with id and name columns, but listing the tables in the database shows that software is missing.
When a stix-shifter connector's "to_stix_map" doesn't use an
object
name in a mapping, those objects could be silently dropped by async translate/ingest. This happens e.g. with qradar'ssoftware:name
mapping. You can tell by inspecting the DB (in this case PostgreSQL but also happens with sqlite3):From this example you can see that firepit recorded a
software:name
column (meaning it was in the native qradar data passed into thetranslate
function) which means there should be asoftware
table withid
andname
columns, but listing the tables in the database shows thatsoftware
is missing.