Paul Agbabian

Coming in late on this one but consumers like Splunk are also Mappers, which is closer to Producers. Both Producer and Mapper personae populate the classes and structure. Analyst personae...

I believe customer_uid was a metadata attribute rather than a base event attribute.

I believe the issue is that Caption is not considered a discrete value, or token, for example in a switch statement. If we want to have dual mode enums (integers...

reference to original data has the naming convention of `ref_`. I can see it maybe could be used outside of Malware however if we are considering it to be a...

Are you suggesting that we have an array of String tuples for tactics? Since we are assuming there is only one technique (both uid and String form) per Attack object...

If we look at the MITRE Enterprise matrix in their portal, they display names but when you hover over them, the tip shows the TA# or the T#. They are...

I see this similarly but with different details. An OCSF producer must send a consistent ID and may send an associated name. A consumer can expect to receive an ID...

Yes, per @tankbusta and @awhite456 different versions of the ATT&CK matrix elements can coexist.

Wow, I took a quick look at the github repo and there is a lot to look at across the matrix. For validation, we could compromise and consider the range...

Agreed - pretty common to have confidence as well as severity.