As an example, this search;
FOR doc IN nvd_cve_vertex_collection
FILTER doc.type == "indicator"
AND doc.id == "indicator--b21c7330-80ba-599f-bf45-00beb875a678"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN [KEEP(doc, filteredKeys)]
Returns results like;
[
[
{
"created": "2005-05-18T04:00:00.000Z",
"created_by_ref": "identity--562918ee-d5da-5579-b6a1-fae50cc6bad3",
"description": "YusASP Web Asset Manager 1.0 allows remote attackers to gain privileges via a direct request to assetmanager.asp.",
"external_references": [
{
"source_name": "cve",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1668",
"external_id": "CVE-2005-1668"
}
],
"id": "indicator--b21c7330-80ba-599f-bf45-00beb875a678",
"indicator_types": [
"compromised"
],
"modified": "2024-01-25T21:03:34.380Z",
"name": "CVE-2005-1668",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
],
"pattern": "([(software:cpe='cpe:2.3:a:yusasp:web_asset_manager:1.0:*:*:*:*:*:*:*')])",
"pattern_type": "stix",
"pattern_version": "2.1",
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2005-05-18T04:00:00Z"
}
]
]
However I want to wrap the results in a STIX bundle, e.g.
{
"type": "bundle",
"id": "bundle--<UUIDv4>",
"objects": [
"<LIST OF STIX OBJECTS THAT MATCH QUERY>"
]
}
Is this possible to do in an ArangoDB query?