[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: What exactly CybOX?
Hello, As there has been discussions on Slack on what is covered by CybOX, we need to make sure we decide what is in scope and what is not. IMO, a CybOX object/instance describe exactly one instances of WHAT happened. It does not contain other information about who, when, why or where. There might be some disagreement on not including where, but I am defining where, as what company/organization observed/created the object. It could be said that where defines the IP/machine of where it happened, but I include that as part of the WHAT, and SHOULD be described as part of the CybOX object. The where does not describe whos machine it was that it happened on. (Though w/ the AS object, there may be some of the where included too.) I have made some minor modifications to the Overview section. Part of the modification removes attack pattern characterization and sharing of indicators of compromise from the list, as both of these should be described in STIX or another standard that uses CybOX, as other users of CybOX may not have a need for these. I am mostly happy w/ the text in the Overview section of the Cybox 3.0 Spec pre-draft document at: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit# But if there are things that would make this more clear, please ask, or best of all, suggest normative text. -- John-Mark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]