One thing that is implicit in this email is that observed data needs to change to address a lot of use cases.
What is being discussed is how best to do that. Each has their pro and con. We are also trying to ensure that we do not add a temporary fix that we have to revisit again in 6-12 months.
Bret
Sent from my Commodore 64
PGP
Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
On Oct 30, 2018, at 6:49 AM, Kelley, Sarah E. <
skelley@mitre.org > wrote:
All,
Today on the working call we ll be discussing the 1` option that discussed at the F2F in NYC. For those not in attendance, there was a proposal to redesign the STIX data model and make observables top level objects (known as option 1`).
A second proposal was made to just modify observed data and use that instead (option 7). The two options have been modeled here: (
https://docs.google.com/document/d/1puPuKVWNSelrWH05yu9It99OuqQGdYo_Et0nmZKAZz8/edit )
for various use cases.
Please join us to make this conversation productive and successful.
Thanks,
Sarah Kelley
Lead Cybersecurity Engineer, T8B2
Defensive Operations
The MITRE Corporation
703-983-6242
skelley@mitre.org <image001.jpg>