Skip to content

Link IOC, Malware, Vulnerability, and Asset Nodes to Attack Flow #154

New issue
New issue
Open
Open
Link IOC, Malware, Vulnerability, and Asset Nodes to Attack Flow#154
Labels
attack flow implementationImplementing the ability to generate attack flowsfeature requestNew feature or request
@KadeMorton

Description

@KadeMorton
KadeMorton
opened on Jul 19, 2025

What it is

Integrate existing data from Thread into corresponding STIX SDOs within Attack Flows, enriching flow steps with additional context.

Why it matters

  • Provides rich, actionable data (indicators, malware, vulnerabilities) alongside actions.
  • Improves interoperability with downstream tools.

Requirements

  • For each FlowNode:
    • Reuse existing IOCs to generate attack-asset nodes
    • Link CVEs to vulnerability SDOs + related-to relationships
    • Map malware/tool mentions to STIX malware or tool SDOs
  • Reference all entities via asset_refs from parent attack-action.

Acceptance Criteria

  • IOCs, malware, CVEs, and tools are included in the flow export.
  • Relationships are valid and reference correct parent attack-action.
  • Assets are properly typed and linked using STIX format.

Metadata

Metadata

Assignees

No one assigned

    Labels

    attack flow implementationImplementing the ability to generate attack flowsfeature requestNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions