Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Observables and Indicators are not mutually exclusive #50

Open
1 task done
SYNchroACK opened this issue Oct 3, 2023 · 2 comments
Open
1 task done

Feature Request: Observables and Indicators are not mutually exclusive #50

SYNchroACK opened this issue Oct 3, 2023 · 2 comments

Comments

@SYNchroACK
Copy link
Contributor

Is your feature request related to a problem? Please describe.

I believe observable objects must be created regardless of the to_ids flag and only when to_ids flag is enabled, an indicator should also be generated and a relationship between the indicator and the originated observable objects.

Describe the solution you'd like

An attribute, even those whithin an object, should originate an observable, independently of the to_ids flag.

An attribute with to_ids flag enabled and which do not belong to an object, should originate an indicator and also a relationship between that indicator and the observable.

An attribute with to_ids flag enabled and which belongs to an object, should contribute to a new indicator and in the end, that indicator should have a relationship between that indicator and the observable.

Scenario 1

Single attribute with to_ids flag disabled.

MISP Event:

  • attribute1

STIX Bundle:

  • observable1

Scenario 2

Object with multiple attributes with to_ids flag disabled.

MISP Event:

  • object1[attribute1, attribute2]

STIX Bundle:

  • observable1
  • observable2

Scenario 3

Single attribute with to_ids flag enabled.

MISP Event:

  • attribute1

STIX Bundle:

  • observable1
  • indicator1
  • relationship1

Scenario 4

Object with multiple attributes with to_ids flag enabled.

MISP Event:

  • object1[attribute1, attribute2]

STIX Bundle:

  • observable1
  • observable2
  • indicator1
  • relationship-observable1-indicator1
  • relationship-observable2-indicator1

Scenario 5

Object with multiple attributes where some has to_ids flag enabled.

MISP Event:

  • object1[attribute1, attribute2, attribute3]

STIX Bundle:

  • observable1
  • observable2 (to_ids flag was disabled)
  • observable3
  • indicator1
  • relationship-observable1-indicator1
  • relationship-observable3-indicator1

Describe alternatives you've considered

No response

Additional context

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@SYNchroACK
Copy link
Contributor Author

An example of Scenario 3

image

@adulau
Copy link
Member

adulau commented Oct 12, 2023

It's a complex topic and highly depending of the STIX 2.1 standard itself. It's indeed the case for some use-cases and but some other with specific patterns which are clearly exclusive. @chrisr3d has some clever ideas to improve that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adulau @SYNchroACK