I found this new data sources very promising as someone coming from the ATT&CK matrix world looking for reducing the gap between events and CTI.

This is more a design question than an issue:

1. Why did you choose YAML over JSON that is widely used in the cti repo ?
2. Why did not you follow the STIX format to make it more easily connectable to the (sub)technique from the same cti repo ?

@Morikko thanks for reaching out and the feedback! We are very excited for these changes as well.

To address your questions, we have just been using this repo for documentation as we research and develop ideas and concepts. These data sources will have a final home in the cti repo STIX as they are integrated into ATT&CK (for more details on this timeline, check out https://medium.com/mitre-attack/att-ck-2021-roadmap-68bab3886fa2).

That said, definitely feel free to suggest some ideas on how we can make this information more usable in the meantime!

Thank you very much for the answer, it completely answers my question. I have nothing to add now as we are just adding standard (tactics/techniques) ATT&CK to our Threat Intel Platform at EclecticIQ. But data sources might be relevant for future use cases, so we might come back soon.