Re: [cti-users] Correct use of "resolves-to" SROs

[Matthew Conway <mconway@hashicorp.com>]

I'm using the OpenCTI platform, which models everything using STIX 2.1, and I'd like to enrich suspicious lookalike domains in it to better understand the infrastructure behind them. I'm building an active DNS enrichment connector for the platform that will resolve NS, A, CNAME, MX, and TXT records then create SCOs related to the root domain, and enble observation of changes as time passes. It makes sense to me to use a "resolves-to" SRO for the A and CNAME records, but I'm less sure if "resolves-to" or "related-to" is the correct choice for NS and MX.

Thanks for the reply!

On Fri, Apr 14, 2023 at 11:08âAM Trey Darley <trey@kingfisherops.com> wrote:

Thatâs an interesting question you pose, Matthew. Could you please elaborate on whatâs the real-world scenario youâre trying to represent within the STIX data model? Cheers, Trey On Fri, Apr 14, 2023, at 19:â54, Matthew Conway wrote:âAre there

ZjQcmQRYFpfptBannerStart

This Message Is From an Untrusted Sender

You have not previously corresponded with this sender.

Â

ZjQcmQRYFpfptBannerEnd

Thatâs an interesting question you pose, Matthew. Could you please elaborate on whatâs the real-world scenario youâre trying to represent within the STIX data model?

Cheers,

Trey

On Fri, Apr 14, 2023, at 19:54, Matthew Conway wrote:

Are there any soft constraints in STIX on what a "resolves-to" relationship should be used for? Representing an "A" record makes total sense, where a Domain Name resolves-to an IPv4 Address.

I'm wondering whether it's more correct to represent a relationship between a Domain Name and its nameservers, or even mail servers, with a related-to or resolves-to relationship.

Matthew