Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some connectors are using the cybox:false flag in the to-STIX mapping incorrectly #1432

Closed
delliott90 opened this issue Apr 19, 2023 · 3 comments
Closed

Some connectors are using the cybox:false flag in the to-STIX mapping incorrectly #1432

delliott90 opened this issue Apr 19, 2023 · 3 comments

Comments

@delliott90
Copy link
Collaborator

Describe the bug
I'm seeing improper use of the cybox:false flag in athena, cloud watch logs, splunk, and palo alto connectors. Setting the cybox: false flag on a mapping will put that property in the outer level of the observed-data object. Only created, modified, first_observed, last_observed, and number_observed should go here. All other custom properties should go under their respective SCOs.

Expected behavior
Any custom properties should go under their respective SCO.
@pcoccoli
Copy link
Contributor

I think the key is unnecessary entirely; you could parse the mapping and see that there's no object type specified (e.g. first_observed is a property name with no object type and dot before it). No object type implies "cybox": false

@delliott90
Copy link
Collaborator Author

Yeah, this would be a good opportunity to change the results translation logic so it's not even needed.

@delliott90
Copy link
Collaborator Author

Closed via #1502

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@delliott90 @pcoccoli