Isn’t it an issue not having a “payload standard”? AFAIK, OpenDXL came to avoid things like “full mesh, one-to-one, messy security integrations”. But then, imagine this situation where a message publisher is created. All other clients subscribed to the topics will have to know how to “parse” the payload and get important info. And that for each one of the publishers. Otherwise, if we had some sort of spec we wouldn’t have that issue. What do you think?
It would be good to have some “protocol” in order to cover all (or most) situations. Like:
- Use STIX 2.0 if sending IoCs (and all other things STIX can be used for https://oasis-open.github.io/cti-documentation/stix/intro). Already in JSON BTW, which is great.
- Use CEF when transferring event (log) related messages
- Use XYZ for ABC, …
I understand the need for “openness” of the protocol, but maybe it comes with some caveats. Do you guys agree? Or am I not seeing the bigger picture here?