-
Notifications
You must be signed in to change notification settings - Fork 5
Maturity: Events
There are some fundamental questions about the scope of Events and what they are intended to represent in CybOX: system (software) level events, such as those recorded by operating systems? hardware/appliance generated events? something else? The current EventTypeVocab is correspondingly broad in scope, and has values such as "Packet Traffic", "USB/Media Detection", and "Basic System Ops". Accordingly, the primary distinction between Events and Actions in the current model is that Events are a collection of Actions.
It seems that we need to better define:
- Exactly what Events are intended to capture (and thus their scope)
- Who are the expected producers/consumers of Events
- When to use Events versus Actions
Given the existing relatively abstract nature of the Events model, it's quite likely that there could be additional fields, such as the name of the system user that initiated the Event (as an example).
There are no known implementations or uses of Events.