Hello,
i'm working on a python parser that parse email message (i.e. phishing) and transform it to stix 2.0 format.
In stix 1.2 i used to create an indicator with body of mail as description and email address and subject as cybox objects nested in the indicator
In stix 2.0 i wonder what is the best way to store a mail message.
Right now i've created an indicator object:
indicator_email_object = stix2.Indicator(
  name="Email Indicator",
created = mail_date_stix2,
  modified=mail_date_stix2,
  description=campaign_name,
  labels=["malicious-activity"],
pattern ="[email-message:date = '" + mail_date_stix2 +"'] AND [email-message:from_ref.value ='"+ attacker_mail + "']",
object_marking_refs=[marking_def_white]
)
And store the data as pattern.
Is this the right way to proceed?Or should i create an ObservedData object with 2 objects of type email-addr and email-message and link it to an indicator?
Thanks to any one willing to help,
Regards,
Giampaolo