Yacine

one suggestion for this feature's syntax would be to use a format similar to the _strace_ and _ltrace_ utilities on Linux. Example: ```yaml - api: CreateThread(lpThreadAttributes=0x0, dwStackSize=, lpStartAddress=, lpParameter=, dwCreationFlags=0x4,...

regarding the different number of arguments for `RegOpenKeyExW`, it seems like that's how CAPE was programmed to handle that:  If we're going to create and maintain a mapping from...

### syntax: As @mr-tz suggested, I think it would be better for the syntax to be similar to that of the [property](https://github.com/mandiant/capa-rules/blob/master/doc/format.md#property) features. This way, there would be more cohesion...

@mr-tz the rule using the `registry` feature should detect all the capabilities extracted by the rule you mentioned, but for the other way around I think the `registry` keyword based...

@williballenthin, initially i was planning on extracting this feature from the summary reports, but extracting it from api reports does seem like it would be nice to have (i think?)....

Initially I was thinking of using the wirshark-filter/tshark filtering language, since I believe that'd give rule authors great expressability; however, I think the syntax for that wouldn't be very capa-esque,...

> does this duplicate the things we can already express with dynamic capa rules? for example, we can imagine `file-write: foo.db` can also be expressed by a dynamic rule like:...

> are there existing vocabularies, such as STIX or OpenIOC, that enumerate all the artifacts that we'd potentially want to include and the relevant fields/properties/enums/etc.? surely we aren't the first...

> we should research what the coverage is like between the summary artifacts and what's referenced in the API trace. I agree. Initially, I believed that something like RegShot was...

I like the idea overall. do you have an idea of how to integrate these vocabulary-based artifacts into capa? can we do so via rules? because if so, then maybe...