[RFC] Threat intelligence

[shimonmodi]

Stage 0 submission for threat intelligence

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?
• For proposing substantial changes or additions to the schema, have you reviewed the RFC process?
• If submitting code/script changes, have you verified all tests pass locally using make test?
• If submitting schema/fields updates, have you generated new artifacts by running make and committed those changes?
• Is your pull request against master? Unless there is a good reason otherwise, we prefer pull requests against master and will backport as needed.
• Have you added an entry to the CHANGELOG.next.md?

Markdown preview of this RFC

[ebeahan]

Thanks for opening @shimonmodi!

I've added a few minor review comments, but I think overall this looks good to advance to stage 0.

[SHolzhauer]

See #1023 for a proposal on how to map IOC fields specifically.

[ebeahan]

Thanks @shimonmodi for making those changes! I'll assign the RFC # and merge the PR to advance to stage 0.

[webmat]

Thanks @ebeahan and @shimonmodi 👍

Next step Shimon is simply to open a new PR for stage 1. You can start very quick by just changing "stage 0" to "stage 1" at the top of the doc, open the PR right away with only this change, and mark it as a draft.

Then you can work on the content of the stage 1 doc as time allows and push to that PR over time.

Opening the stage 1 quickly will give us a place to drop any further feedback and ideas on this, in the meantime.

[shimonmodi]

@webmat - thanks for the next steps. I just completed them.

[dainperkins]

Question on the excel sheet mappings - is it necessary to nest e.g. file, host, user, process, etc. under threat - or would it make more sense to use the top level fields in combination with the threat fields to make the overall document naming simpler?

[webmat]

@dainperkins Discussion about this should continue on the next stage PR, here #1037