Get all campaigns that use specific software/malware.
This is a reverse lookup: Software → Campaigns.
Args:
software_stix_id: Software STIX UUID identifier (e.g., 'malware--UUID', 'tool--UUID').
domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
include_description: Whether to include campaign descriptions.
Returns:
{
"software": {
"attack_id": "SXXXX or similar" | null,
"name": "<software name or null>",
"stix_id": "<software STIX ID>",
"type": "<malware|tool|...> or null",
"description": "<text or null>",
} | null,
"count": <number of campaigns>,
"campaigns": [
{
"attack_id": "CXXXX" | null,
"name": "<campaign name>",
"stix_id": "<campaign--UUID>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "<type>",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of campaigns>",
"message": "<status summary>"
}