1 comment

[ 3.4 ms ] story [ 13.8 ms ] thread
There are some really interesting aspects to this if you are trying to match Stix records:

1. The repo uses transitive rules, so for example, where a course of action mitigiates a malware, then the overall object mitigates the mmalware, or a piece of data uses a course of action, then the whole object uses that action. This is interesting to see in action

2. Data is held uniquely, so each ip address, or hash is only stored once, and all records that use that value are linked to it, making it easy to find linkages between different stix records

Pretty useful stuff