Hi All,
In the last few working group’s Tuesday meeting, we have been reviewing various documents, including the Best Practice document (https://docs.google.com/document/d/1Az8_zLgYMTcLOeKBqIpheBH1YwXX-Zt6/).
The plan is to publish the Best Practices guide as a committee note in the near future.
We would like as many committee members as possible to review this document before it is published, as it will be seen by the greater community as the TC’s thoughts on best practices, and hopefully,
will be followed, which will help with interoperability.
There are several parts of the guide that could use special attention, and possible additional best practices defined:
- There are no best practices for the Malware Analysis SDO.
- The property number_observed on Observed Data and the property count on Sightings are related to counts. The difference between them and how to use
them is discussed in the STIX specification in section 5.2.1, but stating best practices explicitly would be useful.
- There are probably more best practices related to patterns (see section 7.2), especially related to the use of the OR operator.
All the best,
Rich
--
Rich Piazza
Lead Cyber Security Engineer
The MITRE Corporation
781-271-3760
