Hi all,
I propose the addition of the following things for TAXII 2.2:
1. Mandatory "date added" information in the collections root resource query response.
Querying a collection's root resource directly like below should include "date added first" and "date added last" information, either as a json field in the response (like with a manifest response), or as HTTP extension headers (like every response that returns records). Ideally both, like with manifest queries.
$ curl -sg -u 'admin:Password0' -H 'Accept: application/taxii+json;version=2.1' 'http://192.168.5.100:5000/trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/'|jq .
{
 "can_read": true,
 "can_write": true,
 "description": "This data collection is for collecting high value IOCs",
 "id": "91a7b528-80eb-42ed-a74d-c6fbd5a26116",
 "media_types": [
  "application/stix+json;version=2.0",
  "application/stix+json;version=2.1"
 ],
 "title": "High Value Indicator Collection"
}
{
 "can_read": true,
 "can_write": true,
 "description": "This data collection is for collecting high value IOCs",
 "id": "91a7b528-80eb-42ed-a74d-c6fbd5a26116",
 "media_types": [
  "application/stix+json;version=2.0",
  "application/stix+json;version=2.1"
 ],
 "title": "High Value Indicator Collection"
}
For clarity I am suggesting adding the following to the above:
{
 "date_added_first": "2020-01-01T00:00:00Z",
 "date_added_last": "2023-06-13T00:00:00Z"
 "date_added_first": "2020-01-01T00:00:00Z",
 "date_added_last": "2023-06-13T00:00:00Z"
}
Or as HTTP extension headers (but ideally both):
X-TAXII-Date-Added-First:Â2020-01-01T00:00:00Z
X-TAXII-Date-Added-Last:Â2023-06-13T00:00:00Z
X-TAXII-Date-Added-Last:Â2023-06-13T00:00:00Z
My primary use case for this is to make it easy to identify the most recent object in a collection. Since collection responses MUST be sorted by date added ascending, it can be difficult to determine when the last object was added to a collection without paginating through the entire set of responses, or filtering on date added progressively backwards in time until you receive a response.
Obviously, this only really requires "date added last" but for completeness sake "date added first" would be trivial to add at the same time and probably also be useful.
2. Optional query parameter to specify object and manifest sort order.
While #1 would indeed be nice, it still does not make it easy to traverse a collection backwards. It would often be useful to browse a collection by recency without having to figure anything out. Being able to specify the sort order would make this easy.
This means that the current language in 2.1 would need changing:
For Object and Manifest Endpoints, objects returned MUST be sorted in ascending order by the date it was added. Meaning, the most recently added object is last in the list.
I think if a sort query parameter is not given, date added ascending MUST still be the default behaviour, so something to reflect this would be needed.
Here is a contemporary discussion where both of these suggestions would be useful (I am UFOSmuggler) :ÂÂhttps://github.com/MISP/MISP/issues/8832#issuecomment-1584240182
Thanks for your consideration, I look forward to hearing your thoughts.
Have a good one!
David ZieleznaÂ|ÂPrincipal Security Consultant