Hello,
I am working on a project that involves using STIX to represent threat intelligence. I have a couple of questions regarding the usage of relationships:
1. Should I connect an SCO directly to an Intrusion Set object? According to section 5.5 in STIX Best Practices document, one should use an Infrastructure object to connect an SCO to an object that is a part of the offensive or defensive activity of an attack. Does it also apply to connecting an SCO to an Intrusion set?
For example, my research contains three objects: An Intrusion Set named APT0, an Infrastructure of APT0's C2 servers, and an IP address of one of the C2 servers.
Which option should I use to represent my knowledge? (The two options are attached to this email)
If the second option is not recommended, is there another recommended way in which an analyst can easily understand whether an SCO is part of an intrusion set?
2. I am using variousÂpublic databases to actively enrich new SCOs based on their common properties.
I want to create an object representing the query I should run in a particular database. I thought about using an Indicator object for this, but I am unsure of how I should make a relationship between an Indicator object and its corresponding database. For example, if all the C2s in my research are open in port 12345 TCP, I would search for new servers using Shodan or Censys. How can I define that this particular indicator needs to be queried on Censys or Shodan?
Thank you in advance,
