Hi,
I have a question regarding the functionality of Indicator objects.
I am not sure in which cases I should use SCO objects and in which cases I should use Indicator objects.
For example, I used the example of Infrastructure object from STIX 2.1 documentation (infrastructure.json). In this case, two ipv4 objects and a malware object are related to the infrastructure object.Â
Can I express the same relationship using an Indicator object? For example, I created two indicator objects that contain ipv4 addresses as their patterning properties (indicator1.json). I created a relationship between these objects to the malware object. Does this relationship represent the same concept as the relationships in infrastructure.json?
Are there any other rules to help me understand when I should use Indicator objects and when should I use SCO objects?
Thank you in advance,