In Splice, IOCs are labelled with names such as "domain", "email", etc. How are these labels derived from the STIX packages? Is there a specific field in the STIX XML that is used as the label name?
This is a grammar I arbitrary defined based on STIX Objects. For example: ipv4-addr, ipv4-net, etc, they all are the type of information you can find in a log line and on the other side you have to match it to CybOX objects like Address Objects (https://cybox.mitre.org/language/version2.1/xsddocs/objects/Address_Object.html)
In short, those types are Splice internal types and you have all of them listed in the PDF embedded in the App.
This is a grammar I arbitrary defined based on STIX Objects. For example: ipv4-addr, ipv4-net, etc, they all are the type of information you can find in a log line and on the other side you have to match it to CybOX objects like Address Objects (https://cybox.mitre.org/language/version2.1/xsddocs/objects/Address_Object.html)
In short, those types are Splice internal types and you have all of them listed in the PDF embedded in the App.
