Thank you reddit (u/broadexample) – updated version of my STIX feed

A few days ago u/broadexample pointed out that our free STIX feed was doing it wrong: “You’re creating everything as Indicator, not as IPv4Address linked to Indicator via STIX Relationship hierarchy. This works when you use just this feed alone, but for everyone using multiple feeds it would be much less useful.” They were right. We were creating flat Indicator objects instead of proper STIX 2.1 hierarchy with SCOs and Relationships. Fixed it today. New V2 endpoint with: – IPv4Address SCOs with deterministic UUIDs (uuid5 for cross-feed deduplication) – Relationship objects linking Indicator → SCO (“based-on”) – Malware SDOs for 10 families (Stealc, LummaC2, Cobalt Strike, etc.) – Relationship objects linking Indicator → Malware (“indicates”) Should actually work properly in OpenCTI now. V2 endpoint: https://analytics.dugganusa.com/api/v1/stix-feed/v2 V1 still works if you just need IOC lists: https://analytics.dugganusa.com/api/v1/stix-feed Full writeup: https://www.dugganusa.com/post/stix-v2-reddit-feedback-opencti-ready Thanks for the feedback. This is why we post here – you catch the stuff we miss. submitted by /u/Clear_Ask9073 [link] [comments]Technical Information Security Content & DiscussionRead More