No Common Property to Identify Kestrel Objects

[brettforbes]

One massive problem with the Kestrel object definitions is that there is no easy way to determine if an object is a Kestrel object or not.

While there are many issues with the Mitre ATT&CK Stix mapping, one small relief is that every object carries the property describing the ATT&CK version. In fact there are a few common properties carried by every ATT&CK object (https://github.com/mitre-attack/attack-stix-data/blob/master/USAGE.md#extensions-of-the-stix-spec).

This means that testing for an ATT&CK object, for special handling, can be accomplished by a single line of code, like:
attack_object = False if not sdo.get("x_mitre_version", False) else True

But how to know if a file or a process object is kestrel or not???? Is there a single test that can determine if an object is Kestrel??

This seems unecessarily hard. Can you insert a common property on every Kestrel object that can be tested for (e.g. some version number)?

[subbyte]

I think we need to first distinguish between objects as I described in #11 (comment).

For Kestrel-related objects, we may want to warp it into a higher-level object (putting it into a XML/JSON object and add meta-data to it) if a higher-level program/application wants to use it. For simplicity, Kestrel huntflows on disk is stored with file name suffix .hf as described in the Kestrel doc.