eiyuki
commented
5 years ago The Intrusion set is currently related to the report object that forms the "root" of the Playbook. It is also included in the object_refs field for each report object in the Playbook.
Using Oilrig as an example:
{
"type": "relationship",
"id": "relationship--af2cb8e5-5d1c-4964-bfe1-75ebc90f8627",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-10-16T14:05:19.334Z",
"relationship_type": "attributed-to",
"source_ref": "report--af2cb8e5-5d1c-4964-bfe1-75ebc90f8627",
"target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b"
}There are currently no relationships between the intrusion set and each of the campaigns.
However, this is an inconsistency in the Playbooks, and I am making changes that will add a relationship between each of the campaigns and the intrusion set in the Playbook.
You can consider each campaign in the Playbook related (attributed-to) the intrusion set. Once the Playbooks are regenerated there will be relationship objects similar to
{
"type": "relationship",
"id": "relationship--uuid4",
"created": "",
"modified": "",
"relationship_type": "attributed-to",
"source_ref": "campaign-uuid4",
"target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b"
}It will take me a few days to make these changes and regenerate all of the Playbooks.
Hope this helps and let us know if you have any additional questions.
I will also update the docs located here
HamptonJ
I am ingesting all of your bundles as threat intelligence and I noticed that its never explicitly stated which campaigns are attributable to which intrusion sets. There isn't a relationship object that connects the two. Is this intentionally left out? Or is it something that could be added? Thanks!