Hi, few notes on it. (and #1 I could be wrong while I still did not review all the spec. #2 I'm not saying/arguing for changes for now) - One would note the similarities between Malware and Tool (Malware being a Tool, and both of them being Softwares). - One would note the similarities between Threat Actor and Victim Target (which is fine). And so interestingly could envision a decomposition with a common model into Organisation/Person Group/Person. - Regarding Source. From previous STIX version; Information_Source is ever an Identity (Person/Organisation) or a Tool. ((maybe a "is_tool" concept needed there)) As an use case scenario: CTI data could be exchange M2M without human interaction. And/Or knowing that 'this piece of information' is coming from Tool X would be useful if I (as an Organisation or Threat Analyst) has a high level of confidence/trust into this tool (or, at the opposite, knows that this beta Tool Y is not so reliable yet) - The common properties/attributes identified in grey are interesting from an implementation point of view (if interested, see the CREATIONOBJECT and CHANGERECORD objects in XORCISM) Thanks again Best regards 2016-07-13 5:23 GMT+03:00 Jerome Athias <
athiasjerome@gmail.com > : Useful. Thanks for that! On Wednesday, 13 July 2016, Jordan, Bret <
bret.jordan@bluecoat.com > wrote: All, I made a diagram to help you visualize all of the SDOs and the fields / properties of each one. I have also included a red letter R if the field is required. You can find the most current version always on my github site, here:
https://github.com/freetaxii/stix2-graphics/tree/master/diagrams Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."