Proposed Change

https://car.mitre.org/data_model/file

timestomp is really just a specific type of modify action as described.
"The event corresponding to the modification of a file or its metadata."

How granular is the data model supposed to get with subsets of actions and activity ?

IMO it doesn't make sense to have a subset of another action at the same level.
It should be able to be modeled as a graph structure, with specific subset of actions under the main action.

Justification

We've discussed this. While we agree with you in principle, we still feel it's valuable to break out that particular case of modify, as it is a frequent one in cyber analytics.