File actions: timestomp is really just a subset of modify
wesinator opened this issue · comments
Proposed Change
https://car.mitre.org/data_model/file
timestomp is really just a specific type of modify action as described.
"The event corresponding to the modification of a file or its metadata."
How granular is the data model supposed to get with subsets of actions and activity ?
IMO it doesn't make sense to have a subset of another action at the same level.
It should be able to be modeled as a graph structure, with specific subset of actions under the main action.
Justification
We've discussed this. While we agree with you in principle, we still feel it's valuable to break out that particular case of modify, as it is a frequent one in cyber analytics.