The idea behind this object is to provide a unique form to identify network artifacts.
It's a mix of different including whois, URL and domain.
The need for a consolidated object comes to group correlated elements.
Beyond that, I'm introducing the idea to use the correlation feature in more generic ways.
Example:
The value of "threat-actor-infrastructure-value" is the unique value observed on a network resource that identify it. A practical and tested example is this resources from Kaspesky.
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
On this article they mention a trojan family called Javali. They recover the C2 server abusing Google Docs services. The mentioned field "threat-actor-infrastructure-value" would register the values available on this image. This item should be hard to correlate with other similar items, as this can change frequently.
A way to change it is also to register a more general pattern of the data with the "threat-actor-infrastructure-pattern". I.E
inicio{
"host":"<variable>",
"porta":"<variable>"
}fim
With other investigations and registry of it on MISP, is possible to correlate this data, facilitate identification of patterns used for tracking purposes and facilitate analysis.