Deprecate MAEC Bundle (as output format) #104
Comments
|
It would also make sense to consider deprecating the concept of the MAEC Bundle (i.e. as a "Findings_Bundle" on a Malware Subject), as this may be an unnecessary layer of abstraction on the data contained in a Bundle. Instead, it would be useful to promote the data currently contained in a Bundle directly to the Malware Subject level. E.g., before we would have
With this simplification, we would have:
This would ease part of the conceptual burden with regards to understanding the MAEC data model, and more directly link analytical findings to a Malware_Subject. Accordingly, we'd then need to modify the Analysis to reference such findings directly (instead of the entire Bundle as before), which would permit more granular analytical findings to be described. For example, it would allow you to capture the fact that two Analyses found the same Action, something which wasn't possible before with the old Bundle approach. |
|
added proposal placeholder. |
Given that the MAEC Package is used almost exclusively as "the" container for MAEC data, it's probably worth considering deprecating the MAEC Bundle as a separate output format. This would simplify the MAEC Bundle by removing certain fields intended for use only when the Bundle was used by itself, and also generally simplify the usage of MAEC by having only a single supported output format. Accordingly, the essential datatypes in the MAEC Bundle would be maintained, only the ability of the MAEC Bundle to be used in a standalone capacity would be removed.
The text was updated successfully, but these errors were encountered: