Observations don't cover pre-exploit things like recon. #39
Description
Point made by Marko:
I think current Sightings model covers only realm after the hack, so right side of the image while part on the left, before exploit has happened, is not covered at all. Example is that we should not have only Sighings of Observables as-is now, but of other things as well, where Identities come in place first and then I guess maybe some other “essential” building blocks.
Example:" I observed actor “badboypanda” asking on forum X about credentials for Y"?
this is super valuable CTI that even some Intel Providers distribute as such, lot of monitoring activities outside of network domain per se