Hello SC, This is my proposed text for 9.5 to deal w/ the confusion between SCO and Observation. When matching an Observation against an Observation _expression_, all Comparison Expressions contained within the Observation _expression_ MUST start matching against same SCO in the Observation. That is, when resolving object paths of each Comparison _expression_, the <object-type>:<property_name> MUST start from the same SCO. Different SCO's may ultimately be used in matching, but they MUST be referenced from the same, single SCO. An Observation _expression_ MAY contain Comparison Expressions with Object Paths that are start with different object types, but such Comparison Expressions MUST be joined by OR. The Comparison Expressions of an Observation _expression_ that use AND MUST use the same base Object Path, e.g. file:. The last sentence was not changed, the second to last was changed minorly to make things a bit more clear. -- John-Mark Gurney Principal Security Architect