[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-interoperability] Questions for tomorrows call
Bret -> “I’m sure I agree” -> “I’m not sure I agree” -☺ Allan Thomson CTO (+1-408-331-6646) From: Interoperability Subcommittee <cti-interoperability@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com> Bret – I’m sure I agree that we can’t do test this. The test focuses on non-filtered data. i.e. getting all data in a collection regardless of time. This is a valid test. I agree a test that tests time filtering is important but that was
consider a future enhanced test beyond basic testing we did in the current specs. We used the test case examples for the plugfest with at least 1 taxii server and it worked fine. But my slides that I sent were clear that its still an issue on what is real use cases vs what is being used for a test is not the same. I see option 1) below as an orthogonal test to the issue at hand with identity.
I disagree with Option 2) for previously stated reasons. Option 3) requires a change to the spec and although I might agree with the suggestion I’m not sure that is something we need to fix immediately to resolve the issue on how identity is used by systems. Sorry that you wont make the call as I think this topic does require higher bandwidth conversation than email provides. Allan Thomson CTO (+1-408-331-6646) From: Interoperability Subcommittee <cti-interoperability@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com> The problem we have with the tests as written is there is no way in TAXII to actually do this, other than asking for content by 'added_after` filter parameter. But
a test like this, that uses added_after, could contain any data, not just Identity. My proposal: 1) We build a test that takes in 2 different bundles of data at a defined time such as now() and the test is that if you ask the TAXII server for content now()-1 that
you get all of the data from both bundles. Bundle 1 = indicator1, indicator2, relationship_from_1-2 Bundle 2 = sighting_of_indicator1, identity_for_these_objects POST Bundle 1 -> /api1/collections/<collection id>/objects/ POST Bundle 2 -> /api1/collections/<collection id>/objects/ GET /api1/collections/<collection id>/objects/?added_after=[now()-1] Success: Bundle with Indicator1, Indicator2, Relationship1, Sighting1, Identity1 Failure: Not getting all of the records in a single bundle 2) We remove Identity from all tests as they are currently defined. 3) We add the ability in TAXII to auto dereference content so that you can say, give me this Indicator and auto dereference the created_by_ref and give me the Identity
as well. The current tests would be a very valid, once we have this feature. The trick will be just returning the Identity ONCE and not each time it is found in an indicator. Bret |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]