Some connectors are using the cybox:false flag in the to-STIX mapping incorrectly

Question

Some connectors are using the cybox:false flag in the to-STIX mapping incorrectly

delliott90 opened this issue 2 years ago · 3 comments

Describe the bug
I'm seeing improper use of the cybox:false flag in athena, cloud watch logs, splunk, and palo alto connectors. Setting the cybox: false flag on a mapping will put that property in the outer level of the observed-data object. Only created, modified, first_observed, last_observed, and number_observed should go here. All other custom properties should go under their respective SCOs.

Expected behavior
Any custom properties should go under their respective SCO.

Answer 1 · 2023-04-27T13:39:32.000Z

I think the key is unnecessary entirely; you could parse the mapping and see that there's no object type specified (e.g. first_observed is a property name with no object type and dot before it). No object type implies "cybox": false

Answer 2 · 2023-04-28T12:22:36.000Z

Yeah, this would be a good opportunity to change the results translation logic so it's not even needed.

Answer 3 · 2023-06-07T13:33:01.000Z

Closed via #1502