You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi team - I'm running into an issue with artifacts that have a marking definition (like TLP AMBER etc). I think the object_marking_refs aren't being set properly in the Bundle. There appears to only be an instance of the marking definition but nothing that later defines the marking definition.
I don't know if it's a problem with how the cic-misp is calling the Bundle() method or something within the package that Bundle is pulled from.
Hi team - I'm running into an issue with artifacts that have a marking definition (like TLP AMBER etc). I think the object_marking_refs aren't being set properly in the Bundle. There appears to only be an instance of the marking definition but nothing that later defines the marking definition.
I don't know if it's a problem with how the cic-misp is calling the Bundle() method or something within the package that Bundle is pulled from.
The bundles I see look like this:
{
"type": "bundle",
"id": "bundle--18a616c2-23a3-4b33-930e-e1ecd2a30ebb",
"spec_version": "2.0",
"objects": [
{
"type": "indicator",
"id": "indicator--40e7601c-543f-4859-975a-3414a6839fda",
"created_by_ref": "identity--e4051f6a-5df8-423d-acbd-80b1e61a32ed",
"created": "2022-05-31T13:28:58.835Z",
"modified": "2022-05-31T13:28:58.835Z",
"name": "domain: paggy.parmsplace.com",
"pattern": "[domain-name:value = 'paggy.parmsplace.com']",
"valid_from": "2022-05-31T13:28:57.179721Z",
"labels": [
"anomalous-activity",
"SocGholish",
"Fake Updates"
],
"object_marking_refs": [
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
]
},
{
"type": "report",
"id": "report--f2cd7539-da11-4b73-96a6-bb8b225a0cfe",
"created": "2022-06-01T15:04:00.626Z",
"modified": "2022-06-01T15:04:00.626Z",
"name": "domain: paggy.parmsplace.com",
"published": "2022-05-31T13:28:58.835Z",
"object_refs": [
"indicator--40e7601c-543f-4859-975a-3414a6839fda"
],
"labels": [
"indicator"
]
}
]
}
But the samples I see that work look like this (note the presence of another section that defines the marking definition.
{
"type": "bundle",
"id": "bundle--dbe491fe-6faf-4125-b019-d8938bc0294d",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--611d9d41-dba5-4e13-9b29-e22488058ffc",
"created": "2017-04-14T13:07:49.812Z",
"modified": "2017-04-14T13:07:49.812Z",
"name": "Stark Industries",
"identity_class": "organization",
"sectors": [
"defense"
],
"contact_information": "info@stark.com"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
"created_by_ref": "identity--611d9d41-dba5-4e13-9b29-e22488058ffc",
"created": "2017-04-14T13:07:49.812Z",
"modified": "2017-04-14T13:07:49.812Z",
"name": "Known malicious IP Address",
"description": "Detected malicious activity from this address",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ipv4-addr:value = '10.0.0.0']",
"pattern_type": "stix",
"valid_from": "2017-04-14T13:07:49.812Z",
"object_marking_refs": [
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
"marking-definition--d81f86b9-975b-4c0b-875e-810c5ad45a4f"
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:AMBER",
"definition": {
"tlp": "amber"
}
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
"created": "2017-04-14T13:07:49.812Z",
"definition_type": "statement",
"definition": {
"statement": "Copyright (c) Stark Industries 2017."
}
}
]
}
The text was updated successfully, but these errors were encountered: