I see Infrastructure objects exists for a post. I want to search through posts to retrieve all those with a specific infrastructure (e.g. underground forums). Is this possible today?
Hi @0101001001001 – no, this is not possible as it stands today due to the way these objects are created.
I’ve added it to our backlog to fix. You can track it here:
opened 06:54AM - 06 Jan 26 UTC
enhancement
The extractions listed below are relevant between posts. i.e malware name is rel… evant to many posts.
As such, to improve search, we should use a uuid
ai_tool
ai_threat_actor
ai_malware
ai_intrusion_set
ai_infrastructure
ai_identity
ai_course_of_action
ai_campaign
ai_attack_pattern
lookup_attack_pattern
lookup_campaign
lookup_course_of_action
lookup_identity
lookup_infrastructure
lookup_intrusion_set
lookup_malware
lookup_threat_actor
lookup_tool
The problem with this comes down to created, modified and created_by_ref
These all change depending on time of input and if custom ID was used (it is in Obstracts and Stixify)
We should therefore default back to txt2stix created_by_ref identity for these objects. and also always use the dates 2020-01-01.
this will ensure on Obstracts and Stixify, all these objects will always be the same, and thus, only one copy will ever exist.
