I think the question is more about "If you see this, do something" vs "If you see this doing that, do something" "The difference between stupidity and genius is that genius has its limits. Albert Einstein.", but I don't see why, when established, it could not be extended (being from new CybOX objects or new entries in a controlled vocabulary) (I found the examples provided potential valid use cases) 2015-09-24 20:30 GMT+04:00 Trey Darley <
trey@soltra.com>: > How far down the rabbit hole do you want to go? If we extend the notion of > indicators to try and encapsulate non-technical indicators of human > misbehavior, where do you stop? Shall we incorporate criminal background > check data, HR interventions, traffic tickets, and credit scores into CybOX? > Where do you stop? How is this data going to be actionable at the machine > level? > > > Maybe one day we *do* want to go there but first let's nail down what we've > already got in front of us. > > > Cheers, > Trey > -- > Trey Darley > Senior Security Engineer > Soltra An FS-ISAC & DTCC Company >
www.soltra.com > > > ________________________________ > From: Wynn, Jackson E. <
jwynn@mitre.org> > Sent: Thursday, September 24, 2015 16:08 > To: Kirillov, Ivan A.; Davidson II, Mark S; Trey Darley; >
cti@lists.oasis-open.org > Subject: RE: Observable Patterning > > > Does the focus on technical indicators, and patterns, preclude more abstract > or generalized indicators, e.g., anomalous network traffic, afterhours > printing, excessive account lockouts, etc.? > > > >