We’ve had the indicator labels vocab topic open for awhile now, I think it’s time to solidify on a list for 2.0 MVP. That means answering the following questions:
Kyle Maxwell suggested adding the VERIS “action enumerations” to the list, from here:
http://veriscommunity.net/enums.html#section-actions. Should we do that? It’s about 25 new items.
Kyle also suggested adding detail to “anonymization” to capture the suspected anonymization technique (proxy, TOR, etc.). Should we do that?
Gary suggested adding attribution to the list to capture information that might not itself be directly suspicious or might be too noisy to block, but is useful for attribution. Should we add that?
My thoughts are:
1, 2: it’s tempting, but at this point I think we should stay very minimalistic with the suggest vocab and add to it over time. Thus, no, I don’t think we should add these…since it’s an open vocab people are
free to expand the list to use these and other more specific ones. As we get to 2.1 and after that we’ll hopefully start to notice on a common set of things we should add, and we can go from there.
3: This seems useful to me, is just one additional value, and is differentiated enough from the others to make it clear when it should be used. So, I think we should add it.
What do you all think? Let’s try to get comments early this week and finish up this topic for Friday. I’m happy to talk on Slack about it as well.