[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Re: [cti-users] TAXII Collections [SEC=UNCLASSIFIED]
UNCLASSIFIED Hey Josh, We use a Collection per feed. We have many people polling the same collection (Including a “test-data” collection so people are not using more sensitive stuff when hooking up/testing). Would be interesting to be able to give people access to a subset of a collection based on a criteria – say TLP. Some could see all, while others might only get say WHITE and GREEN (no AMBER). Cheers, Scotty From: cti-users@lists.oasis-open.org
[mailto:cti-users@lists.oasis-open.org] On Behalf Of Terry MacDonald Hi Josh, From my understanding, most people use Collections per feed. In general most threat feeds I've seen send out the same data available to everyone who is allowed to poll that collection. With your data, does each customer get their own personalized feed of threat intel? Or do groups of customers get the same intel (e.g. some are in one group, and others in another)? If its the former then you pretty much
need a feed per customer. If its the later, then you can do a feed per group, and use internal access control policies or TAXII Query features to restrict the data that each individual customer receives (see section 5.2.2.1 in TAXI Services Specification 1.1). The best place to identify the differences between the Data Set and Data Feed concepts is in the TAXI Services Specification 1.1, section 5.2 (Data Collections and Content):
https://taxiiproject.github.io/releases/1.1/TAXII_Services_Specification.pdf. Data Feeds are considered to be ordered and immutable. I think of Data Feeds as logs. They effectively act as a record of what has happened at that time in the Collection and that 'record of fact' cannot be altered. You
can of course issue new updated version of STIX data, but it will be a new updated version of the STIX data with a new timestamp. Anyone querying the Data Feed and requesting a time period covering the initial issue of STIX Object A and the subsequently updated
STIX Object A would see two copies of it. Data Sets are effectively a snapshot of what it is like right now. I think of Data Sets as Database 'views'. They are a snapshot of the data in that collection right at that time. The next time the client polls the complete
data set may be the same, or it may be completely different. IMHO It's like a box of chocolates...
Terry MacDonald Senior STIX Subject Matter Expert SOLTRA | An FS-ISAC and DTCC Company +61 (407) 203 206 |
terry@soltra.com
On 23 October 2015 at 01:54, Josh Larkins <jlarkins@malcovery.com> wrote: I’m wondering if anyone could shed some light on how they map Collections in TAXII to the data they produce. In implementation discussions with our developer, it makes logical sense
to us to align a TAXII Collection with an individual feed we might provide to a customer, thus n customers
results in n Collections.
Does that seem like a correct approach, assuming here that individual customers might have different permissions surrounding what data they’re allowed to receive? Similar to the above question, we’re planning to use the Data Feed type, rather than a Data Set. Since it seems that some type of order would be needed to reliably retrieve data from
a Poll Service, what is the use case for a Data Set type collection? The only thing I could come up with is a canned, proof of concept, type data for use in something like a POC. Josh Larkins Sr Threat Intel Analyst PhishMe Office: 703-350-4321 Web: www.phishme.com Twitter: @phishme If you have received this transmission in error please notify us immediately by return e-mail and delete all copies. If this e-mail or any attachments have been sent to you in error, that error does not constitute waiver of any confidentiality, privilege or copyright in respect of information in the e-mail or attachments. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]