Some things to clean up on the next editing pass…
·
Part 2:
o
Attack pattern example: external_reference should have an external_id property
o
Too nit-picky? The create time of the malware in the coa example is after the create time of the relationship that refers to it
o
Same example: the malware object has a “relationship_type” property, not a “name” property
o
2016-01-201T17:00:00Z
in the report example has a 3 digit day
o
Probably too late to fix, but the threat-actor example is pretty skimpy
·
Part 4
o
home_dir in unix-account-ext isn't a ref to a directory object, but just a string
o
the x509 extension is named inconsistently: most other extensions are "foo_ext", this one is 'x509-v3-extensions-type'
o
In the x509-certificate properties table, there is no entry for extension, even though it has one.
o
Timestamp in pe-binary-file needs a trailing Z
o
Windows-service-ext example should have service_name, not display_name
o
In the x509 example, validity_not_before and validity_not_after are after subject – but that is not the order in the table. No big deal – but examples usually follow the order in the table. Same
for the